There are two principal worm components: Loader and Main
The Loader is Windows EXE file about 25K of size (it is
compressed by UPX PE EXE files compression utility, being
decompressed it gets about 70K of size). When loader is activated
on a computer (being run from email attach) it registers itself
as a hidden process (service), copies itself to Windows system
directory with GDI32.EXE name and registers in auto-run system
GDI = WinSystem\GDI32.EXE
where 'WinSystem' is Windows system directory name. As a result
the worm Loader then will be executed on each Windows startup.
Note that there are standard Windows components in that
directory: GDI.EXE and GDI32.DLL. The worm uses GDI32.EXE name to
disguise itself in a standard Windows environment.
To hide its activity the worm then displays the fake error
The path in the above message may be different.
The worm then activates main procedure that gets and executes the
Main component. It contacts GeoCities Website and gets several
files from one of accounts there:
LASTVERSION.TXT - a text file with the number of latest worm version
available in there. If there is no new version, the worm
nn.ZIP - latest version of worm Main component, "nn" is
defined in LASTVERSION.TXT.
GATEWAY.ZIP - latest version of worm Loader component.
The nn.ZIP and GATEWAY.ZIP files actually are not archives, but
encrypted Windows EXE file. The worm Loader decrypts them, copies
to Windows directory and spawns. As a result the Main component
is activated on the computer.
The Main worm component is Windows EXE file about 40K of size (it
is compressed by UPX PE EXE files compression utility, being
decompressed it gets about 120K of size). It is installed to
Windows directory with GDI32A.EXE name and is registered in
system registry in similar way as described above for virus
loader. The main components then depending on some conditions
opens Windows Address Book, gets Inet addresses from there and
sends infected email messages. In known worm version these
Subject: Choose your poison
Attached file name: GIRLS.EXE
The B variant of the worm spreads itself a bit differently:
Subject: I'm your poison
Attached file name: LOVERS.EXE
The Main worm component also has backdoor abilities. It can
provide a limited access to an infected computer for a remote
[Analysis: Kaspersky Labs, F-Secure Corp.; October 2000]