Email-Worm.Win32.MsWorld

Technical Details

This is email worm spreading by affecting MS Outlook. The worm itself is
Win32 executable file about 130K of length. The worm is written in Visual
Basic language.

When the worm file is run (double click on attached EXE file) it displays “miss World” pictures, for example:

and then runs spreading and two trojan routines.

To spread the worm uses a standard way. It connects to MS Outlook, gets up
to 50 addresses from address book and sends messages to there. The messages
have:

Subject: Miss World
Body: Hi, %��� ����������%
Enjoy the latest pictures of Miss World from various Country

The attached file has the name of original EXE file that was activated. The
“original” EXE file name in which the worm was received is MSWORLD.EXE.

Next the worm appends to the end of C:AUTOEXEC.BAT file DOS batch commands
that display the message:

This Everything for my Girl Friend………, (CatEyes, KRSSL, SS Hostel)

and then format all local fixed drives.

The worm then tries to delete the system registry files and their backups:

SYSTEM.DAT, SYSTEM.DA0, USER.DAT, USER.DA0

Because .DAT these files are usually locked by system, the worm fails to
delete them.

The worm then exits.