Selected viruses, spyware, and other threats: sorted alphabetically
the subject "Outlook Express Update". The body of the message is formed by the text
"MSNSofware Co.". The message contains a file attachment "mmsn_offline.htm" which contains
a copy of the worm.
After the file mmsn_offline.htm is executed the worm gets activated. It creates the files C\:bla.hta, C:\b.htm, C:\Windows\SAMPLES\WSH\Charts.js and C:\Windows\help\mmsn_offline.htm.
In the system registry it creates three keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\NAV DefAlert
The virus sets the value of the last key on %windir%\SAMPLES\WSH\Charts.vbs. The intention of the worm author obviously was to activate the worm after the system restart. But the file Charts.vbs does not exist in the given directory, only the file Charts.js does. The worm writes its copy into files with extensions htm, html and asp. On the 1st, 5th, 10th, 15th and 20th day in a month the worm deletes files on local disks.
The worm sends its copies to all addresses it could obtain in Outlook Express. In the end it sends the message to the address firstname.lastname@example.org.
The worm modifies the file mirc.ini. This causes that after connecting to IRC the client mIRC sends by means of DCC the file C:\WINDOWS\help\mmsn_offline.htm to everyone who joins the same channel that the user of the infected computer is on. The file mmsn_offline.htm contains a copy of the worm. In the created file mirc.ini the following text is located:
;This virus is donation from all Bulgarians
Into the file c:\autoexec.bat the worm writes the command Echo y|format c: which causes formatting of the disk C: after the
The worm is able to spread in the local computer network. It copies itself to accessible network disks as the file Windows\Start Menu\Programs\StartUp\Msoe.hta.
At the beginning of the worm body is the following text:
29.10.2001, 10/29/01 This worm is donation from all Bulgarians!CopyR2001McB
© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.