This is a dangerous worm that spreads via the Internet in infected e-mails. The worm itself is a Windows application written in Delphi and about 370K in size.
Upon being executed (by clicking on the attached file, for instance), it installs itself into the system, registers itself as a service process (hidden application), then sends infected messages (with its attached copy), and, depending on the system date, runs its payload routine.
Installation to System
The worm copies itself to the Windows system directory with a name randomly selected from the following variants:
and registers that file in the Registry auto-run key:
The worm sends itself from infected machines as an attached file with random names as above, and with the Subject and message Body randomly selected from the following variants:
To send infected messages, the worm connects to a SMTP server. The worm obtains the name of the SMTP server from the default-system settings.
A victim’s e-mail addresses are obtained from the WAB file (Windows Address Book). The messages also are sent each time to:
The worm sends e-mails immediately upon the first start-up, then in time intervals, depending on its internal time counters.
Payloads and other
The worm finds and deletes all *.INF and *.SYS files on a drive where Windows is installed, and the system is destroyed due to this in most cases.
Starting in September, and the 15th of each month, the virus runs itself with some video effect.
The worm also creates and modifies the following registry keys:
These keys indicate that: 1st key – e-mail messages have already been sent; 2nd key – INI and SYS files have been deleted.
Depending on its internal time counters, the worm also closes all active application windows, opens/closes the CD drive, blinks the Num/Caps/Scroll-lock keys, an displays 500 messages: