Class Email-Worm
Platform Win32

Technical Details

This worm spreads via the Internet as an attachment to infected emails. It is written in Visual Basic and is a Windows PE EXE file, approximately 75KB in size.

Contains the text string:

Smile Internet Explorer  CD_Open


When launched, the virus copies itself to C:WINDOWSStart MenuStartUpSmile.exe, ensuring that it will gain control every time Windows is started.

It also creates a copy of itself named Poems.exein the C: root directory.

It deletes the following files from the Windows directory:


It also deletes C:Program FilesInternet ExplorerIexplorer.exe

It deletes all LNK files in C:WindowsDesktop.

It also deletes Norton Antivirus files and directories:

C:Program FilesSymantec Shared 
C:Program FilesNorton AntiVirusv32scan.dll 
C:Program FilesNorton AntiVirusNavtask.dll 
C:Program FilesNorton AntiVirusNavtasks.dll 
C:program filescommon filesSymantec Sharedscriptblocking

and copies itself under the names of the deleted files.

It also deletes Media Player:

C:Program FilesWindows Media Playerwmplayer.exe

Propagation via email

Every time the virus is launched, it sends itself to all addresses found in the MS Outlook address book.


The worm creates an empty directory named OK on disk A:

Find out the statistics of the threats spreading in your region