Summary

This is an email worm, written in Visual Basic 6, which also drops a new variant of an old file-infecting virus.

Spreading description

The worm uses data found on the infected computer to create message subject and body.

When executed, it will send itself to all users in the Outlook address book. It does this by contacting the mail server directly. When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".

Information and patch is available from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.

It installs several files to the hard disk - some which contain the worm itself, and some which contain a new variant of the FunLove virus. This variant of FunLove is very minor, and is detected and cleaned by NVC already.

It will also modify the Registry in such a way as to start the worm from bootup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit [systemdir]\regedit.exe
 

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilizzo	Titolo	Commento
	Blocco dei virus che infettano le condivisioni di rete
	Cleaning of back-up folders on Windows Me and XP