Snapper is a multi-component e-mail worm. It consists of an HTML
page, a script dropper and a DLL file that is installed on a
The worm's distribution cycle starts from an e-mail. The e-mail
contains a link to the "banner.htm" webpage on a webserver in the
USA. This link can be automatically activated on certain e-mail
clients because the worm uses the Iframe exploit in its e-mail
message. So the worm doesn't send itself as an attachment, it
sends a link with an exploit.
When the link is activated, the worm connects to the web site and
executes the script. The script determines the version version of
Internet Explorer. For versions 5.0, 5.5 and 6.0, the worm uses
the Object data Remove Execution (MS03-032) vulnerability to run
another script written with Visual Basic Script, "htmlhelp.cgi",
from the same web site. This VBS script then drops the binary
part as "Ieload.dll" to the Windows installation directory and
Further information about the vulnerability is available from
The binary part of the worm is a Windows DLL file 8704 bytes
long. The DLL has 2 functions: InstallDLL and MessageHandler
that does the e-mail spreading.
The script dropper activates the InstallDLL function and then
deletes the DLL file from Windows folder. When the DLL is
activated, it copies itself as IELOAD.DLL to Windows System
folder and registers itself as a Browser Helper Object. The worm
creates a unique class ID under the following Registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
That class ID points to IELOAD.DLL file that is located in
Windows System folder.
After that the worm opens a connection to a website (different
from the one that has the BANNER.HTM and worm's DLL) and reports
that it has been installed and sends country info there.
Then the worm gets user's SMTP information (account, e-mail, user
name) from the Registry, opens users Windows Address Book file,
reads it and send e-mails to all found e-mail addreses.
The e-mail sent by the worm has 'Re:' as a subject and the body
contains Iframe exploit and the link to BANNER.HTM file that is
located on a website in the USA. When that e-mail is opened on a
recipient's system, IFrame exploit allows the link to
automatically activate and a recipient's computer gets infected.
However, only certain e-mail clients are affected by this
When the DLL gets loaded next time, it does the following:
1. Creates/updates the following key values in the Registry:
2. Starts the MessageHandler routine.
When the MessageHandler routine is started, the worm goes to the
website located in the USA (different from the one that has the
BANNER.HTM and worm's DLL) and reports country again. Then it
waits for a reply from the site. If the reply is 'WAIT', then the
worm tries to reconnect again later. If the reply is 'URL=', then
the worm opens Internet Explorer and goes to the URL, received
from the website.
The worm has a payload. It kills the following processes:
This payload only works during the worm's installation process.
Detection for this malware was published on March 24th, 2004 in
the following F-Secure Anti-Virus updates:
Please note that F-Secure Anti-Virus does not detect neither
"Ieload.dll" nor "htmlhelp.cgi" with the default on-access
scanner extension list, unless "cgi" and "dll" are added to the
All files are scanned by default settings of on-demand scan.
Alexey Podrezov, March 24th, 2004;
Katrin Tocheva, Sami Rautiainen, Alexey Podrezov, March 24th, 2004;
Alexey Podrezov, March 25th, 2004;