The worm's file is a PE executable file about 102 kilobytes long. The file is not packed.
Installation to system
When the worm's file is run for the first time, it shows a fake messagebox:
Then the worm copies itself to Windows System directory as LSASSS.EXE and as YANZI.EXE and creates a startup key for the first file in System Registry:
"Microsoft Kernel" = "%WinSysDir%\lsasss.exe"
where %WinSysDir% represents Windows System folder, for example 'c:\windows\system32' for default Windows XP installation.
Also the worm creates a ZIP archive named YanZi.zip with the worm's file named 'Sun YanZi.pif' in Windows folder. The worm uses 'store' method to create a ZIP archive meaning that the worm's file inside the archive is not compressed.
The worm creates a short HTML file named 'sun_yanzi.htm' in the current directory and writes 'Sun-Yanzi' text string there.
Additionally the worm creates 2 base64-encoded files in Windows System folder:
The first file is a base64-encoded copy of the worm, the second one is a base64-encoded copy of the worm in a ZIP archive. These files are used during spreading of the worm in e-mails.
The worm creates a mutex with the name 'Sun YanZi - forever'.
Spreading in e-mails
Before spreading the worm reads user's Address Book and scans a hard drive to harvert victims' e-mail addresses. The worm scans files with the following extensions:
The worm ignores e-mail addresses if they contain any of the following substrings:
The worm sends e-mails with different subjects, body texts and attachment names. The subject of an infected e-mail is selected from the following variants:
- SuN YanZi
- Sun-YanZi Mp3
- Free MP3
- Love and SuN YanZi
- Forever Sun Yanzi
The body text of an infected e-mail is selected from the following variants:
- I don't want anything. I want to see Sun YanZi
- My Favourite is Sun YanZi.
- I want to meet Sun YanZi. I am loving Sun-YanZi Magic.
- You must to listen Sun-Yanzi. I am enjoying to listen Sun YanZi.
The attachment is either a ZIP archive with the worm's executable file or the worm's executable file itself. The name of an infected attachment is selected from the following variants:
The extension of an infected attachment can be:
Spreading to shared folders
The worm scans all available hard drives and ram disks. If it finds a folder with the name that contains 'shar' substring, it copies itself there with the following names:
- Sun YanZi.avi.exe
- Sun YanZi.mpg.exe
- Sun YanZi.mpeg.exe
- Sun YanZi - Shen Qi.exe
- Sun YanZi - I am not sad.mp3.exe
- Sun YanZi - Leave me alone.mp3.exe
- Sun YanZi - forever.mp3.exe
- Stephan YanZi.Mp3.exe
This way the worm can spread to shared folders of P2P (peer-to-peer) clients and to local network.
The worm has a simple backdoor that listens on TCP port 67. It allows to download and run executable files from Internet.
During its installation cycle the worm kills the following processes: