Threat Description



Category: Malware
Type: Worm
Platform: W32
Aliases: Snapper, I-Worm.Snapper, W32/Snapper.A@mm, VBS/Inor.J


We received reports about a new worm that spreads itself from a website located in the USA on March 24th, 2004. The worm sends messages with a link to an HTML page that runs a script dropper, that in its turn drops the worm's binary file to a user's computer.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Snapper is a multi-component e-mail worm. It consists of an HTML page, a script dropper and a DLL file that is installed on a user's computer.

The worm's distribution cycle starts from an e-mail. The e-mail contains a link to the "banner.htm" webpage on a webserver in the USA. This link can be automatically activated on certain e-mail clients because the worm uses the Iframe exploit in its e-mail message. So the worm doesn't send itself as an attachment, it sends a link with an exploit.

When the link is activated, the worm connects to the web site and executes the script. The script determines the version version of Internet Explorer. For versions 5.0, 5.5 and 6.0, the worm uses the Object data Remove Execution (MS03-032) vulnerability to run another script written with Visual Basic Script, "htmlhelp.cgi", from the same web site. This VBS script then drops the binary part as "Ieload.dll" to the Windows installation directory and executes it.

Further information about the vulnerability is available from Microsoft:

The binary part of the worm is a Windows DLL file 8704 bytes long. The DLL has 2 functions: InstallDLL and MessageHandler that does the e-mail spreading.

The script dropper activates the InstallDLL function and then deletes the DLL file from Windows folder. When the DLL is activated, it copies itself as IELOAD.DLL to Windows System folder and registers itself as a Browser Helper Object. The worm creates a unique class ID under the following Registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]   

That class ID points to IELOAD.DLL file that is located in Windows System folder.

After that the worm opens a connection to a website (different from the one that has the BANNER.HTM and worm's DLL) and reports that it has been installed and sends country info there.

Then the worm gets user's SMTP information (account, e-mail, user name) from the Registry, opens users Windows Address Book file, reads it and send e-mails to all found e-mail addreses.

The e-mail sent by the worm has 'Re:' as a subject and the body contains Iframe exploit and the link to BANNER.HTM file that is located on a website in the USA. When that e-mail is opened on a recipient's system, IFrame exploit allows the link to automatically activate and a recipient's computer gets infected. However, only certain e-mail clients are affected by this exploit.

When the DLL gets loaded next time, it does the following:

1. Creates/updates the following key values in the Registry:

[HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings]  "TimerTicks"  "PopupsLoaded"   

2. Starts the MessageHandler routine.

When the MessageHandler routine is started, the worm goes to the website located in the USA (different from the one that has the BANNER.HTM and worm's DLL) and reports country again. Then it waits for a reply from the site. If the reply is 'WAIT', then the worm tries to reconnect again later. If the reply is 'URL=', then the worm opens Internet Explorer and goes to the URL, received from the website.

The worm has a payload. It kills the following processes:


This payload only works during the worm's installation process.

Please note that F-Secure Anti-Virus does not detect neither "Ieload.dll" nor "htmlhelp.cgi" with the default on-access scanner extension list, unless "cgi" and "dll" are added to the list manually.

All files are scanned by default settings of on-demand scan.


Detection for this malware was published on March 24th, 2004 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2004-03-24_02

Description Details: Alexey Podrezov, March 24th, 2004
Technical Details:Katrin Tocheva, Sami Rautiainen, Alexey Podrezov, March 24th, 2004
Description Last Modified: Alexey Podrezov, March 25th, 2004


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More