The worm executable is packed with ASPack and JDPack.
Some of the text on the worm's executable has been scrambled
It will copy itself to:
Adding an entry in WIN.INI to be loaded at Windows startup.
As well as to the location:
For which an entry in the Windows Registry will be created:
"Hardware Profile" = %sysdir%\hxdef.exe
It will try to send email through Windows' MAPI. The messages sent through this method
have the following characteristics.
The body will contain the text:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
And attachment file name chosen from:
the hardcore game-.pif
Sex in Office.rm.scr
How to Crack all gamez.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
Britney spears nude.exe.txt.exe
I am For u.doc.exe
When using its internal SMTP engine, messages will look like:
Mail Delivery System
Mail Transaction Failed
This is a multi-part message in MIME format.
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary
It's the long-awaited film version of the Broadway hit. The message sent as
a binary attachment.
Attachment name will be composed from a name chosen from:
followed by a extension like:
It will copy itself to the Kazaa shared folder with names like:
Local Network Spreading.
When copying itself to shared resources, the following filenames will be used:
Documents and Settings.txt.exe
Windows Media Player.zip.exe
Detection in F-Secure Anti-Virus was published on April 5th, 2004 with