Class Email-Worm
Platform Win32

Technical Details

Actem is a worm virus spreading via the Internet as an infected email attachment. The worm itself is a Windows PE EXE file about 61Kb in size, written in Visual Basic.

The infected messages body is empty.

The email Subject is:

“Try this, pretty cool”

There are two files attached to the email. One is a copy of the worm:


While the other is a text file:


Actem activates from the infected email only if a user clicks on the attached file. If activated the worm installs itself into the system and displays false messages.

The worm hides itself as an “Active Mouse” application and displays several false messages and menus when the infected file is run.

Actem shows this “active mouse” dialog window:

Other false messages displayed by Actem if executed:

Actem does not install itself to the system and is not active after having run – unless a user clicks on the infected attachment again.

To send out infected messages Actem uses MS Outlook to send messages to all addresses found in the Outlook address book.

Find out the statistics of the threats spreading in your region