This is a virus-worm that spreads via the Internet. It works similar to the
worm: it installs itself into the system, hooks
the Internet access Windows functions, obtains Internet addresses to where it
sends its copies. The worm has bugs and replicates under Win9x only, not under WinNT.
The worm appears as a “Fix20001.Exe” file attached to an e-mail message. The
message has the subject “Internet problem year 2000.” and the message text
is written in two languages: English and Spanish:
Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del A�o 2000. Si
Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien puede ser descargado
del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM
Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
If you are using another Operative System, please don’t wait
until Year 2000, ask your OS Technical Support.
The worm also contains text strings that are used to generate and send
attached data in an e-mail message, as well as the texts:
THE REAL KEY TO LIVE A HAPPY LIFE, IS: BE A GOOD MAN.
PARA CONSEGUIR LA VERDADERA FELICIDAD, SE UN BUEN TIPO.
The attached file (the worm itself) is a Windows executable file about
12Kb in length. When executed, it installs itself into the system
Windows directory with the FIX2001.EXE name and registers itself in the “Run=”
system registry key to activate its copy upon each Windows restart:
Fix2001 = “FIX2001.EXE”
The worm then displays the following fake message to hide its activity:
Upon being run from the installed FIX2001.EXE copy, the worm registers itself as
a system-service process (to hide its window and stay active upon user logoff)
with the “AMORE_TE_AMO” identification Window’s headline; gains access to
the WSOCK32.DLL Internet connection library; obtains addresses for “connect”
and “send” functions; patches them with call instructions to the worm’s
hookers; and stays in the Windows memory as hidden applications.
When the Internet connection is activated, the worm scans data that is sent
and received, obtains Internet addresses from there, and sends infected
messages to these addresses.
The worm has a very dangerous payload that is activated when the text
strings in the worm’s body are patched or corrupted (this is possible, because
the data are transferred via Internet channels). In this way, the worm
overwrites the C:COMMAND.COM file with a DOS Trojan that upon the next computer
reboot, erases all data on the hard drive.