Detect Date 01/11/2002
Class Email-Worm
Platform Win32

Technical Details

This is a dangerous virus-worm that spreads via the Internet attached to
infected e-mails. It installs another Internet worm: I-Worm.Maldal. The worm
also creates destructive payloads.

The worm itself is a Windows PE EXE file about 36.5K in length, and is written in
Visual Basic 5.

The infected messages contain:

The worm is activated from an infected e-mail only when a user clicks on the attached
file. The worm then installs itself to the system, runs its spreading routine and
payload. It displays the following picture only once:


While installing, the worm copies itself to the Windows system directory with the
name “Christmas.exe” and registers this file in the system registry auto-run key.

Zacker = < windir >Christmas.exe

Spreading via E-mail

To send infected messages, the worm uses MS Outlook, and sends messages to
all addresses found in the Outlook address book.

Installation of the other worm

The worm changes a start page for the Internet Explorer to the:*.

This HTM file contains another Internet worm: VBS.Kerza that
will be run after Internet Explorer has been started.

Destructive payload

The worm blocks a keyboard and tries to delete all files in the Windows
System directory.


Find out the statistics of the threats spreading in your region