This Internet worm spreads in e-mail messages using MS Outlook Express as well as MSMAPI service. The worm is written in Visual Basic Script language (VBS).
The worm arrives to a computer as an e-mail message in HTML format or as plain text message with an attached HTML file. In the first case, the script code in the HTML message body automatically executes upon message opening, and the worm gains control. In the other case, a user must open the attached HTML file (double-click on it) to activate the worm.
Being activated, the worm doesn’t start immediately spreading; but rather begins infecting a computer.
It modifies the desktop wallpaper with an HTML file that contains the worm code inside. If the desktop has had a background picture before infection, this picture will be shown as the background of the infected HTML and in most cases, it will not be apparent to the user that the wallpaper has been changed; thus, the worm gains control each time the desktop is displayed (for example, upon Window startup) or refreshed.
Additionally, the worm infects all .HTT files in the “WEB” subfolder of the Windows folder. Windows uses these files to customize some folders in view in Explorer when the Web mode is enabled (for example, the Program Files folder). Infection of these files causes the execution of the worm code each time a specific folder is displayed.
Each time the worm gains control, it searches for files with the extensions HTM, HTML, ASP, and VBS and infects them (insert own code into these files) – one file at a time. After some time, all these files on a computer are infected.
The worm also modifies the MS Outlook Express registry values to force Outlook Express created messages in HTML format and uses stationery for this. In this way, the worm spreads in messages created using Outlook Express. Each time Outlook Express composes a new message, it uses one of the stationery templates (just HTML files, infected by the worm – see above); so the worm’s script automatically enters a message.
Upon each run, the worm increments a counter in the system registry, and when it reaches value 366, the worm runs one of two spreading routines.
The first routine collects e-mail addresses from the MS Outlook address book and sends infected messages to all collected addresses.
The second routine enumerates all messages in the Inbox folder, and upon each found message, creates and sends “reply”, were the subject is “Fw: ” and the subject of the original message.
Both routines use MSMAPI service for sending messages.
An infected message has no text, but has the attached file “Untitled.htm” containing the worm code inside.
If the sum of the day and month is 13, the worm searches for EXE and DLL files and deletes them one file at a time.