This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 37Kb in length, and written in VisualBasic. The worm uses a standard MW97_Melissa-like way of spreading: it opens the MS Outlook address book, obtains addresses from there, and sends its copies to these addresses. The message reads as follows:
The worm then sends a “notification” message to its author and informs him about the next infected computer:
The worm also creates its copies on the C: disk with the following names:
The second copy is placed in the auto-run directory so it will be activated upon each Windows restart.
The worm has a dangerous payload. It scans all disk drives, obtains ZIP, MP3, and JPG files, and renames them to C: drive with the following name:
for example, BGAMEX.JPG and DATA.ZIP are moved to:
The worm also creates the text file “c:messageforu.txt”, writes the text there and adds list of removed files, such as the following: