Selected viruses, spyware, and other threats: sorted alphabetically
After the file mmsn_offline.htm is executed the worm gets activated. It creates files C:bla.hta, C:b.htm, C:WindowsSAMPLESWSHCharts.js and C:Windowshelpmmsn_offline.htm.
In the system registry it creates three keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRunNAV DefAlert
The virus sets the value of the last key on %windir%SAMPLESWSHCharts.vbs. The intention of the worm author obviously was to activate the worm after the system restart. But the file Charts.vbs does not exist in the given directory, only the file Charts.js does. The worm writes its copy into files with extensions htm, html and asp. On the 1st, 5th, 10th, 15th and 20th day in a month the worm deletes files on local disks.
The worm sends its copies to all addresses which it can get from e-mail messages that are available in Outlook Express. In the end it sends the message to the address email@example.com.
The worm modifies the file mirc.ini. This causes that after connecting to IRC the client mIRC sends by means of DCC the file C:WINDOWShelpmmsn_offline.htm to everyone who joins the same channel that the user of the infected computer is on. The file mmsn_offline.htm contains a copy of the worm. In the created file mirc.ini the following text is located:
;This virus is donation from all Bulgarians
Into the file c:autoexec.bat the worm writes the command Echo y|format c: which causes formatting of the disk C: after the restart.
The worm is able to spread in the local computer network. It copies itself to accessible network disks as the file WindowsStart MenuProgramsStartUpMsoe.hta.
At the beginning of the worm body is the following text:
29.10.2001, 10/29/01 This worm is donation from all Bulgarians!CopyR2001McB
Â© 1992-2004 ESET s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.