This is a family of Internet worms that spreads via e-mail by sending infected messages from infected computers. While spreading, the worms use MS Outlook, and send themselves to addresses that are stored in the MS Outlook Address Book.
The worms are written in the scripting language “Visual Basic Script” (VBS), and they work only on computers on which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worms access MS Outlook, and use its functions and address lists. This is available in Outlook 98/2000 only, so the worms are able to spread only when one of these MS Outlook versions is installed.
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in the original worm version contains:
The file extention (“.vbs”) is separated by lots of spaces and sometimes may not
Depending on the system settings, a real attached-file extension (“.vbs”) may not be shown. In this case, the attached-file filename is displayed as “DRIVER.DOC”.
Upon being activated by a user (by double clicking on the attached file), the worm creates its exact copy in the WINDOWS directory with the “driver.doc .vbs” name.
The worm checks whether the file system is NTFS, and if it isn’t, it exits. If the file system is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory, and associates four additional NTFS streams with it.
If the filesystem is NTFS, the worm creates a ODBC.INI file in the WINDOWS directory
Then the worm creates a temporary file (“go.vbs”), which assembles all parts of the worm into one file (“notepad.vbs”), and launches it.
The part of the worm launched from NOTEPAD.VBS sends its copy to the first 50 e-mail addresses in the Outlook address book. After mailing, the worm checks whether the operating system is Windows 2000, and if it is, adds a new user with the name “Lord_Nikon” to system.