This is a Visual Basic Script trojan that has been spammed as
"Men & Women.html".
Part of the code is encrypted and decrypts on the fly. If a user
open this file Chango first checks the Visual Basic Script version.
If it is more than 4 then it creates two files:
"C:\WINDOWS\LOGOS.SYS" and "C:\WINDOWS\LOGOW.SYS". Those files
are scriptlet objects and contain the string "TROJAN.Chango".
After that the trojan attempts to create in the Windows startup
directory of English, Spanish and Portuguese environments the
file "TROJAN.CHANGO.HTM".
Further every time the a system is rebooted it will run the IE
and open "TROJAN.CHANGO.HTM" that looks like:
Chango doesn't contain any destructive payload.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
