Class Email-Worm
Platform VBS

Technical Details

This is an Internet worm that widely spread on 9 May 2001. The worm is written
in Visual Basic Script language (VBS) and spreads as a “homepage.HTML.vbs” file
attached to an e-mail message.

This is a usual Loveletter-like VBS worm, but it is encrypted (encoded) to
bypass heuristic scanners.

This worm spreads via e-mail by sending infected messages from infected
computers. While spreading, the worm uses MS Outlook and sends itself to all
addresses that are stored in MS Outlook Address Book. As a result, an infected
computer sends as many messages to as many addresses are kept in MS Outlook
contacts list.

It works only on computers on which the Windows Scripting Host (WSH) is
installed. In Windows 98 and Windows 2000, WHS is installed by default. To
spread itself, the worm accesses MS Outlook and uses its functions and
address lists. This is available in Outlook 98/2000 only, so the worm is
able to spread only in case one of these MS Oulook versions is installed.

The infected message in the original worm version appears as follows:

Subject = “Homepage”
Body = Hi!
You’ve got to see this page! It’s really cool ;O)

After spreading, the worm randomly opens one of four adult-orientated/pornographic pages to keep a user unaware.

To avoid double spreading from the same machine it creates the
“HKCUsoftwareAnmailed” registry key and writes a “1” value to there. This is done so it
does not spread from one to the same machine twice.