Class Email-Worm
Platform Win32

Technical Details

This is an Internet worm that replicates by sending infected e-mail
messages. It uses several vulnerabilities in the Microsoft Internet
Explorer, Outlook and Windows Media Player to start automatically when an
infected message is viewed.

Infected Messages

Infected messages that are sent by the worm have various subjects and
message bodies, that are generated from several pre-defined strings.

From field: Display name and e-mail address of the infected computer’s

Possible subjects:

  • Hi (recipient’s name)
  • Dear (recipient’s name)
  • Hello (recipient’s name)
  • My friend, (recipient’s name)
  • How are you !! (recipient’s name)

Message bodies are concatenated from the following strings:

  • Hi (recipient’s name) , See this funny video.
  • Dear (recipient’s name) , This is interesting movie.
  • Hello (recipient’s name) + , Open the + cute + penguin.
  • My friend, (recipient’s name) , Attached is my amusing clip.
  • How are you !! (recipient’s name) , Watch my special tape.

For example,

Dear Vasily Pupkin, Watch my amusing video.

Infected messages contain the following attachments:

  • mi2.chm, 11397 bytes
  • mi2.exe, 73752 bytes
  • mi2.htm, 539 bytes
  • mi2.wmv, 19485 bytes


The worm doesn’t install itself in the infected system, and is launched
only when it is executed from an infected message.


The worm accesses information from the Windows Address Book (WAB) to get
e-mail addresses, and then sends infected messages to these addresses. To
send infected messages it uses a direct connection to the default SMTP
server set up in the infected system.


The worm sends a “notification message” to several addresses at the
“” mail domain that are randomly selected from a list of 120
e-mail addresses. The subject of this message contains the default e-mail
address of the infected computer’s owner.

Find out the statistics of the threats spreading in your region