Updater

The infected messages have different texts and attached file names, they are randomly selected by worm while spreading from following variants:

Subjects are: Part1 + Part2 + Part3 + Part4 Part1 = "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : ", " " Part2 = "Check ", "Check out ", "Watch out ", "Open ", "Look at " Part3 = "this ", "my ", "For this ", "The " Part4 = "Picture", "Program", "Patch", "Nude pic", "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush" "Account", "Private Pic"

Examples:

You Should Look at this Osama Vs Bush Fwd : Check my Patch

Atach filenames are:

"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe" "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"

Body:

Hi: This is the file you ask for, Please save it to disk and open this file, it's very important.

When the worm is executed, it copies itself to the C:\WINDOWS\ directory with the UPDATE.EXE name and registers that file in system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Update = C:\WINDOWS\Update.exe

The worm then displays a fake error message:

Cannot Open files : It does not appear to be a valid archive if you Downloaded this file , try downloading the file again. [ OK ]

Next the worm creates the file C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\Update.vbs. This script file starts automatically after rebooting system under Windows 9x/ME. It looks for files on all drives with expansions: EXE, DOC, TXT. It creates script copies with the same names + expantion: ".vbs" For example:

MPLAYER.EXE.vbs NOTEPAD.EXE.vbs

This script file contains the strings:

I-WORM.IMELDA.B

The worm changes a volume label on disk C: the the IMELDA.

The worm also copies itself to the C:\WINDOWS\ directory with one of this names:

"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe" "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"