Home / malware W32.Conpilf@mm
First posted on 05 September 2015.
Source: SymantecAliases :
There are no other names known for W32.Conpilf@mm.
Explanation :
The worm may arrive through spam email messages.
When executed, the worm creates the following folders:
%Temp%\RarSFX0%Temp%\RarSFX1
Next, the worm creates the following files:
%Temp%\httpwww.asesoriafiscalacf.comjsup.php%Temp%\RarSFX0\MAPIEx.dll%Temp%\RarSFX1\MAPIEx.dll%Temp%\RarSFX0\aa.exe%Temp%\RarSFX1\aa.exe%Temp%\RarSFX0\NetMAPI.dll %Temp%\RarSFX1\NetMAPI.dll
The worm then gathers email addresses found in Microsoft Outlook.
The worm then sends the stolen information to the following remote location:
www.asesoriafiscalacf.com/js/up.php
The worm may then send itself in an email to all the email addresses it found on the compromised computer in order to spread further.
The email will have the following characteristics:
Subject: RE: esta factura es tuya me llego por error.
Attachment: Factura_02125.doc
Body:
Hola
Me llego esta factura a mi correo por error. Esta a tu nombre asique te la adjunto en este correo, esta en formato word.
Saludos.Last update 05 September 2015