This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 30K of length. The worm is written in Visual Basic language.
When the worm is run it copies itself to Windows directories with the names:
The second file is then registered in system registry auto-run key:
The “C:Windows” directory name is hardcoded in worm code, so it is not able to affect the system in case Windows directory name is not like that one.
The worm also copies itself with the same name to root directories of all available logical drives (local or remote).
The worm then connects to MS Outlook by using MAPI functions, gets all addresses from Address Book and sends messages to all of them. The messages have:
Text body is randomly selected from four variants:
To hide its activity the worm displays the fake error messages: