This is worm virus spreading being attached to Email messages, through IRC channels, infecting PE EXE files (Win32 executable files), VBS files and incorporating its copies to RAR and ARJ archives. The worm itself is Win32
The worm has many bugs and in most of cases crash the system or corrupt files while infecting them.
When infected file is run, the worm copies itself to Windows system directory with one of the names randomly selects from following list depending on current day:
To access that copy later by its name the worm stores that name in Registry key:
where %wormname% is the file name of worm copy (it will be used below as well).
The worm also copies itself to Windows directory with PornoChat.exe name and registers that file in Registry auto-run key:
The worm is able to update itself. To do that it sets start page for MS Internet Explorer to “www.volny.cz/radix16/flu/update.gif”. As a result on
That can be not usual GIF image file – the worm looks for data that is attached to main GIF image data. The attached data has special format. It may contain a list of email addresses (it is stored to C:Heyya.txt file and is used later) and/or EXE file image.