http://upx.sourceforge.net

Remitente, direcciones falsas con la técnica Spoofing:

Asunto, aleatoriamente uno de los siguientes:

• He, where are you?
• Hi! I'm waiting you online today!
• Hi! Please write to me urgently!
• Hi!!! How's the mood?
• Hi, drop me a line!!!
• Hi, what's up?
• Re: Call me!
• Re: How's the mood?
• Re: When you're gonna answer me?
• Re: Where are you?
• Re: Where have you been?
• Re: write to me!
• When you're gonna answer me?
• Will you be online today?

Contenido, uno de los siguientes: 

• Btw, I sent you those docs that you've been looking for. Check them out. Bye!
• Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?
• Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.
• Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye
• Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.
• Hi, drop me a line today, ok? And see the program I'm sending. Bye!
• Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!
• Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!
• Hi, I found that program you asked for. Find it attached. Bye.
• Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read them out... Bye!
• Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...
• Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.
• Hi, what's up? Will you show up online today?
• Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!
• I got news. I've finally that program you needed
• I'm coming to you tomorrow, ok? When you are going to be home?
• I'm sending it out. Use it. Bye!
• What's up! You haven't been writing for a long time
• You disappeared again. If you come online, drop me a line, ok?
• You remember, you've asked some docs. Please find them attached. Check and see what's inside. That's it. Bye, till tomorrow...a

Anexado, uno de los siguientes:

• Archive.zip
• backup.zip
• confidential.zip
• Document.zip
• Fotos.zip
• images.zip
• Important.zip
• Message.zip
• Passwords.zip
• private.zip
• README.zip
• Readme.zip
• secret.zip
• your_documents.zip

Los archivos con extensión .ZIP se almacenan en la carpeta temporal de Windows y se desempaquetan en memoria. 

Al activarse se copia a la carpeta %Windir% como Csrss.exe, que se engancha en memoria a procesos normales de Windows. 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Image File Execution Options\explorer.exe] 
"Debugger" = "%Windir%\csrss.exe"

%Windir% es una variable que corresponde a C:\Windows en Windows 95/98/Me/XP/Server 2003 y C:\Winnt en Windows NT\2000.