Click anywhere to stop


Class Email-Worm
Platform Win32

Technical Details

This is an Internet-worm spreading via e-mail, sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.

The worm itself is a Win32 application written in VisualBasic. The worm code
seems to be based on the “I-Worm.LoveLetter” VBS worm (the
worm’s routines and their names look very similar to “Loveletter” ones), and
its seems that this worm was created by adapting “Loveletter” VBS source to
VisualBasic language.

When run (if a user clicks on an attached infected file), the worm sends its
copies by e-mail, installs itself into the system and performs destructive

The worm sends itself as e-mail messages with an attached EXE file, that is the
worm itself.

The message appears a follows:

The Subject: My baby pic !!!
Message body: Its my animated baby picture !!
Attached file name: mybabypic.exe

Upon being activated by a user (by double clicking on an attached file), the worm opens
MS Outlook, gains access to the Address Book, obtains all addresses from there
and sends messages with its attached copy to all of them. The message
subject, body and attached file name are the same as above.

The worm also installs itself into the system. It creates its copies in
the Windows system directory with the following names:


and registers in the Windows auto-run section in the system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunmybabypic = %WinSystem%mybabypic.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWINKernel32 = %WinSystem%WINKernel32.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices = %WinSystem%Win32DLL.exe

where %WinSystem% is the Windows system directory. As a result, the worm is
re-activated each time Windows is booted up.

The worm also creates the following registry key:

Default = HACK[2K]
mailed = %number%

where %number% is a number from 0 to 3 and depends on the process the worm
is currently performing or has finished: installing, spreading, activating its
payload routine.

The payload routine is rather large. Depending on the system date and time,
the worm:

  • switches on/off NumLock, CapLock and ScrollLock keys
  • sends to keyboard buffer the following message:


  • connects the site and sends one of the texts to


The worm also corrupts and/or affects other files. It scans subdirectory
trees on all available drives, lists all files there and depending on
filename extension, performs one of the following actions:

VBS, VBE: the worm destroys these files’ contents.

JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm creates a new
file with an original filename plus the “.EXE” extension, and copies its body to
there, and then deletes the original file; i.e., the worm overwrites these files
with its code and renames them with ann EXE extension. For example, “TEST.CPP”
becomes “TEST.EXE”.

JPG, JPEG: the worm does the same as above, but adds an “.EXE” extension to
the full file name (does not rename to “.EXE”). For example, “PIC1.JPG” becomes

MP2, MP3, M3U: the worm creates a new file with an “.EXE” extension (for
“SONG.MP2”, the worm creates the “SONG.MP2.EXE” file), writes its code to
there and sets the file attribute “hidden” for the original file.

Find out the statistics of the threats spreading in your region