The worm is written in Delphi and is compressed with UPX file compressor. The packed file size is 91048 bytes, the unpacked file size is over 230 kilobytes. When the worm is run for the first time, it displays a fake error message:
Cannot open file: it does not appear to be a valid archive.
If this file is part of a ZIP format backup set,
last disk of the backup set and try again.
Please press F1 for help.
Then the worm copies itself as 'zipped_files.zip' file to the root folder of C: drive, opens this file with a default ZIP file viewer and then deletes the file. When a WinZip is installed on an infected system, it is started but because the worm deletes its file just after it tries to open it, WinZip shows that the 'zipped_files.zip' archive contents are empty. Then the worm installs itself to system. It copies itself as 'Explore.exe' to Windows System directory. It modifies WIN.INI file by putting its execution string after RUN= variable. This is done to make the worm's file during every Windows session. On NT-based system the worm adds its execution string to the Registry. On NT-based systems the worm can also install itself as '_setup.exe' in Windows directory, but this copy it not activated. To spread itself in email, the worm connects to an infected user's email client using MAPI interface, reads unanswered email messages and 'answers' them by sending itself to the original senders. The infected message looks like that:
RE:[the original subject of the message] Body:
Hi ! I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs. bye.
The worm can alter the message body by adding a recipient's name after 'Hi' string. It can also add 'Sincerely' string followed by a sender's name in the end of message body. In this case the worm does not add 'bye.' to the end of the message body. The worm does not use Iframe trick to make its attachment run automatically on a target system, so it's spreading is limited. However, the social engineering used by the worm can trick many people to run the attached worm's file.
The worm can infect computers over a local network. The worm looks for computers that share resources with an infected system and if it finds such a computer, it looks for Windows folder there. If it is found, the worm copies itself as '_setup.exe' file to a remote computer and modifies WIN.INI file there. As a result, a remote computer will be infected with the worm when it is restarted. But only Windows 9x systems are vulnerable as WIN.INI file is not used to start programs on Windows NT-based systems. The worm has a dangerous payload. It is constantly looking for the files with the below listed extensions on all available drives:
- .DOC - Microsoft Word documents
- .XLS - Microsoft Excel spreadsheets
- .PPT - Microsoft PowerPoint presentations
- .ASM - Assembler source files
- .CPP - C++ source files
- .C - C source files
- .H - C header files
When the worm finds a file with one of those extensions, it overwrites it and then zeroes its length, so recovery becomes impossible.