This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.
The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.
While installing, the worm copies itself:
to the Windows directory, Windows system directory and C: drive root – with the `.EXE name to the Windows TEMP directory – with a name that depends on the worm version:
The C:`.EXE file is then registered in the system registry auto-run key:
and in the Windows SYSTEM.INI file, [boot] section, in the “shell” auto-run command.
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Subject, Body and Attachment name are different in the known worm versions:
where %UserName% is the Name of the affected machine.
The first-known worm version, after e-mail spreading, deletes the files in the following Windows directory: REGEDIT.EXE, SYSTEM.INI, WIN.INI, COMMANDEBDio.sys, then the files: C:IO.SYS, C:NETWORK.LOG. It then copies the worm’s copy to the J: network drive (if it exists).
The worm then creates and spawns two VBS files: “c:passwd.vbs” and “c:leo.vbs”, and then displays the following message:
The LEO.VBS file looks for the following files: .html .htm .asp .php .dll .com .txt .doc .xls .exe and overwrites them with the text:
The PASSWD.VBS file looks for .PWL files (passwords) and sends them to the “firstname.lastname@example.org” e-mail with a “mypasswd” subject.
Payload – other versions
On the 23rd of any month, the worm runs its payload routine (which takes effect under Win9x systems only). It writes, to a C:MSDOS.SYS file, an instruction that disables the Windows boot-up process pausing and tracing, and then overwrites a C:AUTOEXEC.BAT file with instructions that will format all drives from C: to Z: upon next machine reboot.
Then the worm displays the message: