Memas worm usually arrives as an executable e-mail attachment.
When the worm's file is run, it drops a Visual Basic script file
as C:\FEMAIL.VBS and activates it.
The Visual Basic Script part is the one that does the mass
mailing of the worm. It first check for the presence of a Windows
and if it does not exist, it creates such key. Thus the worm will
mass mail once per infected computer.
Next, it uses Outlook Application to get all addresses from the
address book and mass mail a copy of the worm in messages that
look as follows:
Subject: "Hi Friend"
Body: "Please See The Attachment"
Attachment: <worm's file name>
The <worm's file name> is the name of the worm's file that
depends on the name of the infected attachment that was
originally run by a user.
To hide this action the Visual Basic Script deletes all sent
The worm is capable of infecting executable files on an infected
computer. It scans all available drives and prepends itself to
all found executable files. However, the worm does not infect
files in folders that have the following names:
The worm also doesn't infect files with the following names:
All infected files are marked by adding the 'ShohdiEmail' line to
their ends. When an infected file is run, the worm takes control,
extracts the original file's contents to the same folder, but
with .SEL extension and runs the extracted file.
The worm can display a mixed English-Arabic message.
Detection was published on December 8th in the following F-Secure
Alexey Podrezov and Katrin Tocheva, December 15th, 2003;