Email-Worm.VBS.Tossed

Technical Details

This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section.
To hide its activity, the worm then displays a fake message and exits:

PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745

Error in SFX – Unable to extract !!

While installing, the worm tries four “hardcoded” variants of the Windows directory name: C:WINDOWS, C:WIN95, C:WIN98, C:WINNT, and fails to install itself when Windows is installed in the directory with different name.

Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each
Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.

That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: “Check this out”.
The message text and attached file name are randomly selected from eight variants:

It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXE

I found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXE

Here are some images you might like. You really need to check them out.
Attach: IMAGES.EXE

I am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXE

Please take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXE

I am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXE

I downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXE

I downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE

Also depending on the counter, the worm displays the text:

 ------                                     --
 - -- -                                     --
  --     ----   ----    ----    ----       --
  --    --  -- --      --      --  --   -----
  --    --  --  ----    ----   ------  --  --
  --    --  --     --      --  --      --  --
 ----    ----   ----    ----    -----   --- --

                                -----           ---                --
                                --   --           --                --
                                ---       ---     --      ---       --
                                  ---       --    --        --   -----
                                    ---  -----    --     -----  --  --
                                --   -- --  --    --    --  --  --  --
                                 -----   --- --   ---    --- --  --- --

!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]

The worm also contains the text strings:

The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]