This email worm is spreading using MS Outlook. The worm itself is Win32 executable file about 130K of length written in Visual Basic language.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More scanning & removal options
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
When the worm file is run (double click on attached EXE file) it displays the following picture:
and then three other pictures that are not Miss World pictures as it is written in the worm. After that the worm runs its spreading and two trojan routines.
To spread the worm uses a standard way. It connects to MS Outlook, gets up to 50 addresses from address book and sends messages to there. The messages have:
Subject: Miss World Body: Hi, %username% Enjoy the latest pictures of Miss World from various Country
The attached file has the name of original EXE file that was activated. The "original" EXE file name in which the worm was received is MSWORLD.EXE.
Next the worm appends to the end of C:\AUTOEXEC.BAT file DOS batch commands that display the message:
This Everything for my Girl Friend........., (CatEyes, KRSSL, SS Hostel)
and then format all local fixed drives.
The worm then tries to delete the system registry files and their backups:
SYSTEM.DAT, SYSTEM.DA0, USER.DAT, USER.DA0
Because .DAT these files are usually locked by system, the worm fails to delete them. Then the worm exits.
Technical Details: Kaspersky Labs and F-Secure Corp.; June 2001