Email-Worm.Win32.Smilex

Class Email-Worm
Platform Win32
Description

Technical Details

This worm spreads via the Internet as an attachment to infected emails. It is written in Visual Basic and is a Windows PE EXE file, approximately 75KB in size.

Contains the text string:

Smile Internet Explorer  CD_Open

Installation

When launched, the virus copies itself to C:WINDOWSStart MenuStartUpSmile.exe, ensuring that it will gain control every time Windows is started.

It also creates a copy of itself named Poems.exein the C: root directory.

It deletes the following files from the Windows directory:

Defrag.exe
Tuneup.exe
Regedit.exe

It also deletes C:Program FilesInternet ExplorerIexplorer.exe

It deletes all LNK files in C:WindowsDesktop.

It also deletes Norton Antivirus files and directories:

C:Program FilesSymantec Shared 
C:Program FilesNorton AntiVirusv32scan.dll 
C:Program FilesNorton AntiVirusNavtask.dll 
C:Program FilesNorton AntiVirusNavtasks.dll 
C:program filescommon filesSymantec Sharedscriptblocking

and copies itself under the names of the deleted files.

It also deletes Media Player:

C:Program FilesWindows Media Playerwmplayer.exe

Propagation via email

Every time the virus is launched, it sends itself to all addresses found in the MS Outlook address book.

Other

The worm creates an empty directory named OK on disk A: