Click anywhere to stop


Detect Date 11/14/2005
Class Email-Worm
Platform Win32

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.

The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic.


When installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name:

%Windir%Fonts<random name>.com

The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:


 "TempCom"="%Windir%Fonts<random name>.com"

The worm modifies the following system registry entries:




 “HideFileExt” = “1”

 “Hidden” = “0”

Propagation via email

The worm sends itself to addresses harvested from the MS Windows address books on the victim machine.

Infected messages

Message subject


Attachment name

Find out the statistics of the threats spreading in your region