This is Email/IRC worm. The worm body itself is Win32 PE EXE file written in VisualBasic. The worm has too many bugs to be described well.
It copies itself to:
and registers itself in Registry keys:
“C:windowssystemsystray_.exe” %1 %*
SystemTray = C:Windowssystemsystray_.exe
SystemTray = C:Windowssystemsysboot_.exe
(the last line overlaps first one, so first line disappear in system registry).
Program Name = X-Coderz
CurrentVersionNumber = X-Coderz.VBS.03.A
(it intends to write more lines to there, but fails).
The messages sent by Email (it also fails to do that) contain the INSTALL_.EXE attached file, the message text and subject are selected from variants:
Hey, How Are Things? I’m Writing This E-Mail To Let You Know Of An
Attachment Im Sending With The Next Mail You Will Probably Find. It Very
Useful. I did! See You Soon
Hey Its Me Again,Here You Go Its The Installation Program For An Adults
Only Explicit Screensaver (Pornographic)
Hey Its Me Again,Here You Go Its The Installation Program For An Outlook
Express Security Upgrade
Hey Its Me Again,Here You Go Its The Installation Program For A Microsoft
Explorer Patch V7.5 (Required For Many Sites)
Hey Its Me Again,Here You Go Its The Installation Program For A Cool Game
I Found On The Web, Try It!
Hey Its Me Again,Here You Go Its The Installation Program For An
Excellent MP3 Player With Plug-Ins LIMITED EDITION
To spread itslef throug IRC channels the worm affects the mIRC client in C:Mirc directory. The worm writes
(successfully) the SCRIPT.INI file with commands that send to IRC channels the worm copy with “installx2.exe” name, and send to there the message too:
You gotta see this. Talk about hard core, jesus!! This is kinky at its
best… you gotta see this, just look at it!!
The worm deletes Norton Anti-Virus data files: C:Program FilesNorton AntiVirus*.dat
On June 22 the worm intends to display (but fails) the message box:
X-Coderz VBS Virus 0.3
X-Coderz Have Taken Control
Remove Virus From Your System?