This is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine.
In infected systems, the worm can be found in three different forms:
All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different.
The worm also drops a VBS-script file-helper to spread by e-mail.
After running, the FABLE.PIF file-worm makes two copies of itself with the names: C:TEST.BAT and %WinDir%BackUp570.pif. Then it executes C:TEST.BAT
Some of these files have the attributes “Hidden” and “Read-Only.” Separately, the worm creates INI files for mIRC clients and VBS-script files:
The INI-file is used for spreading through IRC channels. The VBS script creates the WINSTART.BAT file in the Windows directory, including commands for a run-itself copy when the operation system is starting. After that, the virus scripts through
The message contains randomly chosen subject from the following texts:
The body of the message consists of one of two phrases:
The FABLE.PIF file is attached to every message.
After the messages have been sent, the worm takes out the text message: