Category :


Type :


Aliases :

Snapper, I-Worm.Snapper, W32/Snapper.A@mm, VBS/Inor.J


We received reports about a new worm that spreads itself from a website located in the USA on March 24th, 2004. The worm sends messages with a link to an HTML page that runs a script dropper, that in its turn drops the worm's binary file to a user's computer.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Snapper is a multi-component email worm. It consists of an HTML page, a script dropper and a DLL file that is installed on a user's computer.

The worm's distribution cycle starts from an email. The email contains a link to the "banner.htm" webpage on a webserver in the USA. This link can be automatically activated on certain email clients because the worm uses the Iframe exploit in its email message. So the worm doesn't send itself as an attachment, it sends a link with an exploit.

When the link is activated, the worm connects to the web site and executes the script. The script determines the version version of Internet Explorer. For versions 5.0, 5.5 and 6.0, the worm uses the Object data Remove Execution (MS03-032) vulnerability to run another script written with Visual Basic Script, "htmlhelp.cgi", from the same web site. This VBS script then drops the binary part as "Ieload.dll" to the Windows installation directory and executes it.

Further information about the vulnerability is available from Microsoft:

The binary part of the worm is a Windows DLL file 8704 bytes long. The DLL has 2 functions: InstallDLL and MessageHandler that does the email spreading.

The script dropper activates the InstallDLL function and then deletes the DLL file from Windows folder. When the DLL is activated, it copies itself as IELOAD.DLL to Windows System folder and registers itself as a Browser Helper Object. The worm creates a unique class ID under the following Registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

That class ID points to IELOAD.DLL file that is located in Windows System folder.

After that the worm opens a connection to a website (different from the one that has the BANNER.HTM and worm's DLL) and reports that it has been installed and sends country info there.

Then the worm gets user's SMTP information (account, email, user name) from the Registry, opens users Windows Address Book file, reads it and send emails to all found email addreses.

The email sent by the worm has 'Re:' as a subject and the body contains Iframe exploit and the link to BANNER.HTM file that is located on a website in the USA. When that email is opened on a recipient's system, IFrame exploit allows the link to automatically activate and a recipient's computer gets infected. However, only certain email clients are affected by this exploit.

When the DLL gets loaded next time, it does the following:

1. Creates/updates the following key values in the Registry:

[HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings]

2. Starts the MessageHandler routine.

When the MessageHandler routine is started, the worm goes to the website located in the USA (different from the one that has the BANNER.HTM and worm's DLL) and reports country again. Then it waits for a reply from the site. If the reply is 'WAIT', then the worm tries to reconnect again later. If the reply is 'URL=', then the worm opens Internet Explorer and goes to the URL, received from the website.

The worm has a payload. It kills the following processes:


This payload only works during the worm's installation process.

Please note that F-Secure Anti-Virus does not detect neither "Ieload.dll" nor "htmlhelp.cgi" with the default on-access scanner extension list, unless "cgi" and "dll" are added to the list manually.

All files are scanned by default settings of on-demand scan.