This worm spreads via Outlook, mIRC and Pirch. It spreads immendiately
after an infected message has been opened, if and only if the security
settings of Internet Explorer has been set to "Low" level.
Forgotten does not send any attachments. Instead, the worm code is
embedded into the HTML formatted message body.
Once a user opens an infected message, the embedded script in the HTML
message will drop a file 'vb1.com.vbs' into both Windows and Windows System
directories, and a copy from Windows directory is executed.
Next the worm sends infected message to each recipient listed in the
address book. The infected message look as follows:
Subject: RE: FINANCING
You need ActiveX enabled if you want to see this e-mail.
Please open this message again and click accept ActiveX
The worm modifies the registry and it will not send itself again.
If the Internet Explorer security settings have been lowered, and the
worm executes, the following message will be shown:
YOU WILL NOT FORGET THIS MOMENT, NEVER!
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; December 2000]