Effects 

Snapper.C carries out the following actions:

• It makes screenshots each 9 seconds and stores them in a directory created by itself.
• It saves these screenshots as files with a BMP extension. The name of the files consists in the date and time when the screenshot was made, like the following example:
  6-08-12-40-23.bmp
• These screenshots allow its creator to obtain information about the user's movements, actions, habits or even confidential information.
• This information is sent to its creator.
• Besides the threat for the user's privacy, the fact of saving a significant number of images in the system could saturate the system and make the hard drive lose space.
• On the other hand, it loads the character packets belonging to Japanese, Chinese and Korean, so that the system could interpret these languages. This could allow the worm to download malicious files from websites in any of these languages without any problem.

Infection strategy 

Snapper.C creates the following files, which are copies of itself:

• ACROBAT.EXE, in the root directory of the C: drive and in the folder Backups, created by itself, of the Windows directory.
• MY FIRTS SEXUAL EXPERIENCIAS.PDF.EXE, in the Desktop.
• ACROBAT DISTILLER.EXE, in the folder Acrobat reader of the Programs directory of the Start menu.
• ACROBATTRAY.EXE, in the Startup directory. This way, it is automatically run whenever Windows is started.

Additionally, it creates the following files:

• ALL ABOUT WORKS.HTML, in the folder My Documents.
• files with a BMP extension, in the folder Backups of the Windows directory. These files belong to the screenshots it makes each 9 seconds.

It also creates an AUTORUN.INF file in the root directories of all the drives, so that the copies of the worm are automatically run when they are accessed.

Snapper.C creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 932, c_932.nls
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 936, c_936.nls
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 949, c_949.nls
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 950, c_950.nls
  By creating these entries, the characters needed to interpret pages in a language different from the usual are loaded in the system.
  The 932 code belongs to Japanese, 936 to Chinese, 949 to Korean and 950 to traditional Chinese.

Means of transmission 

Snapper.C spreads via the system drives: mapped, shared and removable. It creates a copy of itself in the root directory of all the drives. Additionally, it creates an AUTORUN.INF file in those drives, so that the copy of itself is automatically run whenever any of them is accessed.

Further Details  

Snapper.C creates a file witn an HTML extension in the folder My Documents with the name ALL ABOUT WORKS.HTML as if it were a signature.

When it is run, a website is opened where the following message can be read:

Hello Dear User
Your computer have a worm
Don't worry about your datas
Your datas are safe and have no problem
This program is only a text and experience for programming.
Have a nice time.
Thanks and goodbye.

The following image belongs to such website: