This is a Win32 worm that spreads by sending itself via e-mail to the recipients in a victim’s Outlook Address book.
When launched on a ‘clean’ PC, the worm copies itself to %SYSTEM%Setup30.exe.
The worm also writes an auto-start key, so it will launch each time Windows starts:
Then, the worm suspends for 5 minutes, then launches one of its payloads depending on system time:
Monday: finds and removes I-Worm.Badtrans
Tuesday: restores default values in Win.ini:
[windows]
Run=
Load=
and sets the following registry key value:
HKCRexefileshellopencommand
Default value=”%1″ %*
Wednesday: finds and removes I-Worm.PrettyPark
Thursday: deletes the following files if they exist:
c:mircmirc.ini
c:mircscript.ini
c:mirc32mirc.ini
c:mirc32script.ini
c:ircmirc.ini
c:ircscript.ini
c:chatmirc.ini
c:chatscript.ini
c:progra~1mircmirc.ini
c:progra~1mircscript.ini
c:progra~1mirc32mirc.ini
c:progra~1mirc32script.ini
c:progra~1ircmirc.ini
c:progra~1ircscript.ini
Friday: finds and removes I-Worm.Sircam.c
Saturday: restores default values in System.ini:
[boot]
Shell=explorer.exe
Sunday: finds and deletes all files with a “.vbs” extension in %WINDOWS% and %SYSTEM% folders.
On September 16, displays the following message:
Antivirus
System protected by I-Worm.Antivirus
Copyright (c) 2001 by aLL3gRo
After executing the payload, the worm checks whether the following registry value is present:
HKLMSoftwareMicrosoftWindowsCurrentVersion Install=1
If the value doesn’t exist, the worm tries to send itself to the senders of messages that exist in MAPI default client’s folders.
The subject of the message sent is “New antivirus tool”, and the message also contains the attachment “Antivirus.exe” that is the virus itself, and also contains in the body:
Hey, checkout this new antivirus tool which checks your system for viruses