Silver is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is a Windows application written in Delphi about 90 KB of size (the worm also may be compressed by a PE .EXE compression tool, so result file size can be less than original).

Sending emails

To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails with attached worm copy to these addresses. The worm's messages have:

1st email

  • Subject: concerning last week ...
  • Text: Please review the enclosed and get back with me ASAP.
  • Double click the Icon to open it.
  • Attach: c:\silver.exe

Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:

2nd email

  • Subject: Re: now this is a nice pic :-)
  • Text: Thought you might be interested in seeing her
  • Attach: naked.jpg.exe