This is the worm virus spreading via the Internet being attached to infected emails. The worm
The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++.
While installing the worm copies itself to Windows system directory with the random selected
where %rnd% is random number, and registers that file in system registry auto-run key:
There are two values written to all those keys:
where %worm name% is worm file name without extentions, %worm file name% is full file name, for
It seems that “.default” duplicate is written to registry key because of a bug in worm code.
Later the worm also copies itself with EXPLORER.PIF name to the Desktop.
To get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses
While sending itself the worm appends to its copy following information:
By using these data that is possible to trace particular worm copy “migration” process.
The infected messages have different data in email fields. Below the %RegisteredOwner% and
Subject is randomly (depending on worm “generation”) selected from variants:
The last (third) variant is selected in case there is no “RegistreredOrganization” key in
The message body is also selected depending on worm generation:
Attached file names can be different, for example:
Where “WIN” names have random number at the end (in this case – “40B1”). At the same time
To run from infected message the worm uses two security breaches:
The worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as
The worm drops to Windows system directory “WIN%Rnd%.TMP” file, writes “Win32.Funlove” virus to
The worm displays the message:
In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm
The worm also has following encrypted text strings: