This is an Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook, and sends itself to all addresses that are stored in the MS Outlook Address Book. The worm itself is a Win32 application about 70K in length, written in VisualBasic.
When run (if a user clicks on an attached infected file), the worm sends its copies by e-mail, and performs the following destructive action: the worm deletes
The worm does not installs itself into the system and does not touch system registry (i.e. does not registers itself in there). This is “direct action” worm that performs its action only once being activated from infected message. The worm copies itself to Windows TEMP directory, but does not use that copy.
When run, the worm displays a fake window with a “Macromedia Flash Player” picture in it, and it displays a “Loading”, “Loading…”, “Loading…” message in
The menus in the window do not summon any action when they are selected, except the “Help” menu. Upon selecting it, the “About Macromedia Flash Player 5…” item appears, when that item is selected, the worm displays the message box:
The worm sends itself as an e-mail message with an attached EXE file that is the worm itself. The message consists of:
where [CurrentUser] is the name of the sender.
Being activated by a user (by double clicking on an attached file), the worm opens MS Outlook, gains access to the Address Book, obtains all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.