Class Email-Worm
Platform Win32

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mails. The worm itself is a Windows PE EXE file about 21Kb in length
(compressed by UPX, decompressed size is about 45K), and is written in Visual Basic.

Infected messages contain:

Subject: Good News
Attachment: SoftwareKey.exe

The body is selected from the following three variants:

Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc?
Good news for you because we’re giving you a software which removes the latest internet worms in your pc.
Included is your free software from AVP.

Hi! You are a winner of a trip to Iceland.
Included in this message is a software which can help you claim your prize.
See you there!!!

Hi! You have just won yourself a plane ticket to Bali, Indonesia!
Click the attachment to see how to claim your price.
This message is courtesy of

The worm is activated from an infected e-mail only when a user clicks on the attached
file. The worm then installs itself to the system, and copies itself to
C:WINDOWS directory with the following names:

C:WINDOWSSCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy)

and registers one file in the system registry auto-run key:

System Monitor = c:WINDOWSSYSNOM.EXE

The worm then displays the following message:

and starts its e-mail spreading routine. To send infected messages, the worm uses
MS Outlook, sending messages to all addresses found in the Outlook address

The worm then opens the “” site with IEXPLORER.EXE, and starts a DoS attack on
the “” site.

The worm does not manifest itself in any other ways.

Find out the statistics of the threats spreading in your region