This is an Internet worm that spreads in infected e-mails by using MS Outlook. The worm itself is a Windows executable written in Delphi and compressed by Aspack PE EXE compression utility. The worm’s file size (compressed) is about 200K, the original (uncompressed) size is about 400K.
The worm installs itself into the system, and then periodically accesses MS Outlook and sends infected messages. There are no payload routines found in the worm code.
The worm hides its activity pretending to be a “Personal ID Generator” utility. This utility uses strings in Chinese coding, so it cannot be truly visible under non-Chinese Windows.
At the same time as the worm displays the “Personal ID Generator” window, it installs itself into Windows. To do this, it gets the names of the Windows and Windows system directories and copies itself to there with the “SYSID.EXE”
To run each time Windows starts, the worm registers its copy in the system registry in the auto-run section:
The worm uses a trick to hide this record. Upon being activated, the worm deletes that record from the registry, and upon exiting, restores it. To stay active as long as possible, the worm leaves its copy in the Windows memory as
As a result, the worm record cannot be read by standard RegEdit – it simply does not exist when Windows has completed its start-up procedure, and up to the moment Windows is rebooted:
To spread via e-mail messages, the worm runs a file helper. This file is a VisualBasicScript application, and is created by the worm in the Windows system directory with the WINVER.VBS name. The VBS program in this file gains access to MS Outlook, obtains randomly selected names from the AddressBook, and creates and sends messages to these addresses. The number of addresses infected depends on the total number of addresses in the AddressLists. In case there is less than 200
The infected message body is empty. The message Subject is randomly selected from all subject variants found in the “Sent items” Outlook list.
The message has four attached files. First is the worm EXE copy with a name randomly selected from 100 variants (see below); second, the attached file is randomly selected from .JPEG, .JPG, .DOC and .XLS files found in “C:My
The list of possible worm EXE names appears as follows: