Class | Email-Worm |
Platform | PIF |
Description |
Technical DetailsThis is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine. In infected systems, the worm can be found in three different forms:
All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different. The worm also drops a VBS-script file-helper to spread by e-mail. After running, the FABLE.PIF file-worm makes two copies of itself with the names: C:TEST.BAT and %WinDir%BackUp570.pif. Then it executes C:TEST.BAT
Some of these files have the attributes “Hidden” and “Read-Only.” Separately, the worm creates INI files for mIRC clients and VBS-script files:
The INI-file is used for spreading through IRC channels. The VBS script creates the WINSTART.BAT file in the Windows directory, including commands for a run-itself copy when the operation system is starting. After that, the virus scripts through The message contains randomly chosen subject from the following texts:
The body of the message consists of one of two phrases:
The FABLE.PIF file is attached to every message. After the messages have been sent, the worm takes out the text message:
|
Find out the statistics of the threats spreading in your region |