Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


Technical Details

This is an Win32 e-mail worm. The worm has two components:

  • Main: a Win32 application (PE EXE file) that is about 360K in size, and written in Delphi.
  • Helper: a VBS script program that intends to spread the worm over a local network.

    The main worm component sends itself to other machines attached to e-mails as an EXE file that may have 16 different names (see below). While spreading, it uses MAPI to connect to an e-mailer.

    The main component also drops an additional VBS script helper (local network worm) to a local disk and spawns it.

    Main Component

    When an infected file starts (being activated by a user from an infected message or from any other source), the worm copies itself into the Windows directory with "PCpower.exe" and into the Windows system directory with the "MyLinong.exe" name. The worm then drops the "MyLinong.VBS" file (VBS helper) into the Windows system directory.

    These files are then registered in the system registry auto-run keys:

    PCPower = %windir%PCpower.exe
    MyLinong = %winsystemdir%MyLinong.exe
    Linong = %winsystemdir%MyLinong.vbs

    The EXE files are two worm copies, and they will be activated by Windows upon each restart. The VBS file is a VisualBasic script program (see below).


    To spread, the worm scans the Inbox for the 50 first messages, obtains messages that have at least one attached file, and replies with an infected message. The infected message has a Subject, Body and Attached file that is randomly selected from 16 variants:

    Attached file names:

    Light up the night.exe


    Info From CFusion
    Patch Your CFusion
    Still Remember You
    Light Up The Night
    Man Choice
    Kiss Me
    Sexy Model
    Popeye Cartoon
    Olive & Popeye
    MyGirlFriend Dogs
    My Girl Friend' Dogs
    Sweet Lovely
    Need Help

    Message bodies:

    You can update your Cfusion Online For Free
    Are You Ready Fix Your Cfusion,Please Update
    She is MY sexy Linong
    Light up The Night PARTY...
    Are You Man or women. This is The sponsor from our site The man choice
    100 way to kiss your GirlFriend or your boyfriend
    Did you ever see the sexy girls like her
    The New Popeye New Cartoon NetWork
    Olive And Popeye Cartoon
    Nice dog...
    Good Dog and Smart dogs
    My Icq Friend Sweet and Lovely
    Here The list of Nude Password Website. All of them Still Active, and few of them are death password
    Do you need help ? to get money over the internet. You can read the help
    The New Mikropos Software From Mikropos Network


    The worm creates the following directories:

    "C:Linong I Love U So Much Linong For ever My Love%n"

    where %n are numbers from 0 to 500 (in some cases, the worm fails to create directories, so the upper limit of directory number may be less than 500).

    The worm displays the following messages:

  • on June 25th:
    Message From Me
    Happy Birthday To MyLinong
    Still Remember Me...
  • on July 22nd:
    Today I want tell you Once again that
    Hey user, Please Help me to Tell the world
    That I Love Her So Much
  • on November 14th:
    Hi..Nong..I Love You So much.
    But today we must Say GoodBye For ever
    I wait U in the next Life, and Remember I Love You So Much

    VBS Helper

    This is a modification of the VBS e-mail worm "I-Worm.Linong" and works as a helper to the main EXE component.

    When it is run by Windows (because it is registered in registry Run= key), it obtains the IP address of the local machine, and then scans the sub-net (for example, if the local machine's IP is, the worm will try to connect to all machines by using addresses 10.10.10.n, where 'n' is a number from 1 to 254).

    In the case there are machines with such addresses, the worm tries to gain access to their C: drives and copy itself there to the following directories:

    "C:windowsstart menuprogramsstartup"

    (there is a bug in this routine, and the worm fails to perform this).

    The worm then tries to send its EXE component from the infected machines, with the messages containing the following:

    Subject: One of this mail
    Body: True Story....
    Attach: mylinong.exe

    (this routine has a bug too, and the worm fails to spread itself).

    The worm then, as well as "I-Worm.Linong", performs the following:

  • creates 600 empty directories �:LINONG I LOVE YOU MY FOLDER%n (where %n is number from 1 to 600)
  • creates its copies with the following names:
  • and registers a non-existing file in the system registry:
    HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices Vbrun32DLL = %windows%Win32DLL.vbs
    The worm then creates an HTA file and opens it, which, as a result, displays the text:
    I Love You
    You are the love of my love, 5173n1n3ty31gh7
    Almost One Year.., Miss U

    Read more

    Find out the statistics of the vulnerabilities spreading in your region on

    Found an inaccuracy in the description of this vulnerability? Let us know!
  • Kaspersky Next
    Let’s go Next: redefine your business’s cybersecurity
    Learn more
    New Kaspersky!
    Your digital life deserves complete protection!
    Learn more
    Confirm changes?
    Your message has been sent successfully.