This Internet worm spreads via e-mail messages using MS Outlook and IRC, and is written in VBS. The worm doesn’t work correctly, because it contains a few fatal errors.
When the script is run, it creates self-copies in the system directories:
Also it creates three scripts in IRC directory:
The IRC scripts are needed for spreading via the IRC channel. As directories named “C:Windows” and “C:mIRC” hard register in worm’s body, it can’t execute these operations if the operation system and IRC installed in different directories.
After this, the worm changes some keys in the system registry and WIN.INI file. This creates two keys in the registry:
and changes the value of the two keys in the WIN.INI file:
In this way, the worm always will be run when the operation system is started. In addition to this, the worm changes another two keys in the system registry
Then the worm activates a spread procedure, opening the MS Outlook address book, and for each address, creating the following message:
The worm contains errors, and this procedure can’t work correctly. So, the worm can’t spreads via e-mail.
In conclusion, the worm displays the following dialogue box:
When a user closes this box, the worm removes keyboard and mouse functions, and the runs MediaPlayer with a file from the Internet:
and changes AUTOEXEC.BAT, inserting the strings: