Email-Worm.Win32.Matcher (Kaspersky Lab)
is also known as:
I-Worm.Matcher (Kaspersky Lab),
W32/Matcher@MM (McAfee), W32.Matcher.Worm (Symantec), Win32.HLLW.Matcher.28672 (Doctor Web), W32/Matcher-B (Sophos), Win32/Matcher.A@mm (RAV), WORM_MATCHER.A (Trend Micro), Worm/Matcher (H+BEDV), W32/HLLW.Matcher.A@mm (FRISK), Win32:Matcher (ALWIL), I-Worm/Matcher (Grisoft), I-Worm.Matcher (SOFTWIN), W32/Matcher (Panda), Win32/Matcher.28672 (Eset)
This is an Internet worm spreading via e-mail attached as an EXE file. The
worm itself is a Win32 executable file about 30Kb in length, written in Visual
Basic.
The worm seems to be based on the "Melissa"
macro-virus worm - the functions and sequence of instructions in the worm code
are very similar to the "Melissa" source code. It seems that this worm was compiled
from
a slightly modified "Melissa" source.
When the worm EXE file is being run from an attachment, it sends infected
messages and registers itself in a system to run each time Windows starts up.
To spread from an infected computer, the worm uses MS Outlook by obtaining
addresses from the MS Outlook Address Book and sends messages there.
The message Subject, Body and Attachment appear follows:
Subject: Matcher
Body: Want to find your love mates!!! Try this its cool... Looks and Attitude
Maching to opposite sex.
Attach: matcher.exe
To install into a system, the worm copies itself to the Windows system directory
with the MATCHER.EXE name, and registers this file in the Windows registry auto-run
section:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
%SystemDir%\matcher.exe
where %SystemDir% is the name of the Windows system directory.
The worm also adds to the end of C:\AUTOEXEC.BAT the commands:
@echo off
echo from: Bugger
pause
These commands display the "from: Bugger" message when system is booting up
and processes the AUTOEXEC.BAT.
