Silver is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is a Windows application written in Delphi about 90 KB of size (the worm also may be compressed by a PE .EXE compression tool, so result file size can be less than original).
To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails with attached worm copy to these addresses. The worm's messages have:
- Subject: concerning last week ...
- Text: Please review the enclosed and get back with me ASAP.
- Double click the Icon to open it.
- Attach: c:\silver.exe
Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:
- Subject: Re: now this is a nice pic :-)
- Text: Thought you might be interested in seeing her
- Attach: naked.jpg.exe