Summary

This worm spreads via Outlook, mIRC and Pirch. It spreads immendiately after an infected message has been opened, if and only if the security settings of Internet Explorer has been set to "Low" level.

Forgotten does not send any attachments. Instead, the worm code is embedded into the HTML formatted message body.

Once a user opens an infected message, the embedded script in the HTML message will drop a file 'vb1.com.vbs' into both Windows and Windows System directories, and a copy from Windows directory is executed.

Next the worm sends infected message to each recipient listed in the address book. The infected message look as follows:

        Subject:  RE: FINANCING
        Body:

	You need ActiveX enabled if you want to see this e-mail.
	Please open this message again and click accept ActiveX
	Microsoft Outlook

The worm modifies the registry and it will not send itself again.

If the Internet Explorer security settings have been lowered, and the worm executes, the following message will be shown:

    YOU WILL NOT FORGET THIS MOMENT, NEVER!

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; December 2000]