Kaspersky Threats — CoolNotepad

Class

Platform

Description

Technical Details

This is a VBS Internet worm based on the “LoveLetter” worm. The worm spreads
attached to e-mail messages:

Subject:

Cool Notepad Demo

Message body:

Hey check out this text file I sent it will do something neat in notepad.

Enjoy 🙂

Attachments name:

COOL_NOTEPAD_DEMO.TXT.vbs

To send infected messages, the worm uses MS Outlook and sends its copies to
all addresses listed in the Outlook address book.

The worm also sends its copy to the IRC channel. To do that, it overwrites the SCRIPT.INI
file in the mIRC directory with a set of commands that send the worm file to everybody
who enters the infected channel. When an infected user enters an IRC channel, the
worm also enters a “virus” conference, then sends the message to there:

Cool Notepad Demo

and leaves that conference.

The worm also creates its copy COOL_NOTEPAD_DEMO.TXT.vbs in the Windows system
directory and registers it in the system registry in the auto-run section:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun COOL_NOTEPAD_DEMO
= FileName

where FileName is the full name of the worm copy in the Windows system directory.

The worm has a side effect. It hides all icons on the Desktop by a Registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoDesktop = 1

Find out the statistics of the threats spreading in your region

Class	Email-Worm
Platform	VBS
Description	Technical Details This is a VBS Internet worm based on the “LoveLetter” worm. The worm spreads attached to e-mail messages: Subject: Cool Notepad Demo Message body: Hey check out this text file I sent it will do something neat in notepad. Enjoy 🙂 Attachments name: COOL_NOTEPAD_DEMO.TXT.vbs To send infected messages, the worm uses MS Outlook and sends its copies to all addresses listed in the Outlook address book. The worm also sends its copy to the IRC channel. To do that, it overwrites the SCRIPT.INI file in the mIRC directory with a set of commands that send the worm file to everybody who enters the infected channel. When an infected user enters an IRC channel, the worm also enters a “virus” conference, then sends the message to there: Cool Notepad Demo and leaves that conference. The worm also creates its copy COOL_NOTEPAD_DEMO.TXT.vbs in the Windows system directory and registers it in the system registry in the auto-run section: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun COOL_NOTEPAD_DEMO = FileName where FileName is the full name of the worm copy in the Windows system directory. The worm has a side effect. It hides all icons on the Desktop by a Registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NoDesktop = 1
	Find out the statistics of the threats spreading in your region

Email-Worm.VBS.CoolNotepad

Technical Details