This worm spreads via the Internet as an attachment to infected emails. It is written in Visual Basic and is a Windows PE EXE file, approximately 75KB in size.
Contains the text string:
Smile Internet Explorer CD_Open
When launched, the virus copies itself to C:WINDOWSStart MenuStartUpSmile.exe, ensuring that it will gain control every time Windows is started.
It also creates a copy of itself named Poems.exein the C: root directory.
It deletes the following files from the Windows directory:
Defrag.exe Tuneup.exe Regedit.exe
It also deletes C:Program FilesInternet ExplorerIexplorer.exe
It deletes all LNK files in C:WindowsDesktop.
It also deletes Norton Antivirus files and directories:
C:Program FilesSymantec Shared C:Program FilesNorton AntiVirusv32scan.dll C:Program FilesNorton AntiVirusNavtask.dll C:Program FilesNorton AntiVirusNavtasks.dll C:program filescommon filesSymantec Sharedscriptblocking
and copies itself under the names of the deleted files.
It also deletes Media Player:
C:Program FilesWindows Media Playerwmplayer.exe
Propagation via email
Every time the virus is launched, it sends itself to all addresses found in the MS Outlook address book.
The worm creates an empty directory named OK on disk A: