This is an Win32 e-mail worm. The worm has two components:
Helper: a VBS script program that intends to spread the worm over a local network.
The main worm component sends itself to other machines attached to
e-mails as an EXE file that may have 16 different names (see below). While
spreading, it uses MAPI to connect to an e-mailer.
The main component also drops an additional VBS script helper
(local network worm) to a local disk and spawns it.
When an infected file starts (being activated by a user from an infected message or
from any other source), the worm copies itself into the Windows directory with
“PCpower.exe” and into the Windows system directory with the “MyLinong.exe” name.
The worm then drops the “MyLinong.VBS” file (VBS helper) into the Windows system
These files are then registered in the system registry auto-run keys:
PCPower = %windir%PCpower.exe
MyLinong = %winsystemdir%MyLinong.exe
Linong = %winsystemdir%MyLinong.vbs
The EXE files are two worm copies, and they will be activated by Windows upon
each restart. The VBS file is a VisualBasic script program (see below).
To spread, the worm scans the Inbox for the 50 first messages, obtains messages that
have at least one attached file, and replies with an infected message. The
infected message has a Subject, Body and Attached file that is randomly selected
from 16 variants:
Attached file names:
Light up the night.exe
Info From CFusion
Patch Your CFusion
Still Remember You
Light Up The Night
Olive & Popeye
My Girl Friend’ Dogs
You can update your Cfusion Online For Free
Are You Ready Fix Your Cfusion,Please Update
She is MY sexy Linong
Light up The Night PARTY…
Are You Man or women. This is The sponsor from our site The man choice
100 way to kiss your GirlFriend or your boyfriend
Did you ever see the sexy girls like her
The New Popeye New Cartoon NetWork
Olive And Popeye Cartoon
Good Dog and Smart dogs
My Icq Friend Sweet and Lovely
Here The list of Nude Password Website. All of them Still Active, and few of them are death password
Do you need help ? to get money over the internet. You can read the help
The New Mikropos Software From Mikropos Network
The worm creates the following directories:
“C:Linong I Love U So Much Linong For ever My Love%n”
where %n are numbers from 0 to 500 (in some cases, the worm fails to create
directories, so the upper limit of directory number may be less than 500).
The worm displays the following messages:
on November 14th:
Hi..Nong..I Love You So much.
But today we must Say GoodBye For ever
I wait U in the next Life, and Remember I Love You So Much
This is a modification of the VBS e-mail worm “I-Worm.Linong” and
works as a helper to the main EXE component.
When it is run by Windows (because it is registered in registry Run= key),
it obtains the IP address of the local machine, and then scans the sub-net (for
example, if the local machine’s IP is 10.10.10.1, the worm will try to connect to
all machines by using addresses 10.10.10.n, where ‘n’ is a number from 1 to
In the case there are machines with such addresses, the worm tries to gain access
to their C: drives and copy itself there to the following directories:
(there is a bug in this routine, and the worm fails to perform this).
The worm then tries to send its EXE component from the infected machines, with the
messages containing the following:
Subject: One of this mail
Body: True Story….
(this routine has a bug too, and the worm fails to spread itself).
The worm then, as well as “I-Worm.Linong”, performs the following: