Class Email-Worm
Platform Win32

Technical Details

This worm spreads in e-mail messages and via IRC channels. It is related to the Angela multipartite virus, and IRC and e-mail compenents of the worm are detected as “Angela” components.

When run, the worm first of all copies itself to the Windows system directory with the hardcoded name:


To send its copies in an e-mail message, the worm creates a TEMP.VBS file with an additional VisualBasicSctipt program and spawns it. The program in the script accesses MS Outlook, obtains address book records, and sends a worm copy (with PNGUIN.SCR name) to first 20 addresses that are found there. The message contains:

Subject: Finally found it!
Body: Here are the files you asked me for…
Attachment name: PNGUIN.SCR

The script then deletes its VBS file.

To infect IRC channels, the worm creates the SCRIPT.INI file in the C:MIRC directory. That script sends the PNGUIN.SCR file to all users that join the infected IRC channel.

Find out the statistics of the threats spreading in your region