Detect Date 11/14/2005
Class Email-Worm
Platform Win32

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.

The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic.


When installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name:

%Windir%Fonts<random name>.com

The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:


 "TempCom"="%Windir%Fonts<random name>.com"

The worm modifies the following system registry entries:




 “HideFileExt” = “1”

 “Hidden” = “0”

Propagation via email

The worm sends itself to addresses harvested from the MS Windows address books on the victim machine.

Infected messages

Message subject


Attachment name