Category :


Type :


Aliases :

IWorm_Fix2001, I-Worm.Fix2001, Fix200112288


The Fix2001 is an Internet worm discovered in September 1999. The worm arrives as a 12kb "Fix20001.Exe" file attached to an email message. The message's subject is "Internet problem year 2000." and the body text is in both English and Spanish:

Estimado Cliente:
Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del Ato 2000. Si
Ud. es usuario de
Windows 95 / 98
puede hacerlo mediante el
Software provisto por
Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este email o bien
puede ser descargado
del sitio WEB de Microsoft (C)
Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
 Muchas Gracias. Administrador.
Internet Customer:
We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a
Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this email
or downloading it from Microsoft (C) WEB Site:
If you are using
another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.

Thanks. Administrator.

Being run the worm installs itself to system and modifies Registry to be run during all further Windows sessions. The worm copies itself to \Windows\System directory and shows a messagebox:

This is a disguise only. After that the worm terminates until the next reboot. Being from the installed FIX2001.EXE copy after reboot the worm registers itself as a system service process (to hide its window and stay active on user logoff) with the "AMORE_TE_AMO" process ID and traps Connect and Send functions of WSOCK32.DLL (Windows Sockets Library used to connect to Internet). The trapped functions' addresses are patched so that they point to worm code and the worm could monitor certain activities. The Happy99/Ska worm uses the same technique.

When a valid Internet connection is detected, the worm scans sent and received messages, gets email addresses from there, and sends its copy with the above mentioned message to these addresses.

The worm has a dangerous payload that is activated in case the text strings in the worm's body are patched or corrupted. In this case the worm overwrites the C:\COMMAND.COM file with a DOS trojan that will erase all data on hard drive after the system is rebooted. This may also happen if worm is corrupted during transfer.

The worm has several internal text strings including email templates and a message:



Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details