Additional Details
When the script is executed, it first creates three files to Windows
temporary directory: "monopoly.jpg", "monopoly.whs" and
"monopoly.vbe".
After these files has been created, the worm will show a message box
with the following text:
Bill Gates is guilty of monopoly. Here is the proof.
When user selects "Ok" button from the message box, the worm shows a
picture of Monopoly game boad with picture of Bill Gates.
Then VBS/Monopoly attempts to mass mail itself to each recipient
defined in the Outlook address lists. This message looks like the
following:
Subject: Bill Gates joke
Body: Bill Gates is guilty of monopoly. Here is the proof. :-)
Attachment: MONOPOLY.VBS
Finally it collects the following system information:
- Date and time
- Windows registered user name, organization and version number
- Computer name
- DVD region code
- Country and area codes
- Internet Explorer language code
- Internet Explorer home page
- All entries from address books defined in Outlook
- All ICQ/UIN files
This information is sent to the following addesses:
monopoly@mixmail.com
monpooly@telebot.com
mooponly@ciudad.com.ar
mloponoy@usa.net
yloponom@gnwmail.com
When the worm has been executed, it creates a registry key
HKEY_LOCAL_MACHINE\Software\OUTLOOK.Monopoly
and sets the value of it to "True", so the worm will no be executed
again in the same machine.
[Analysis: Sami Rautiainen, F-Secure]