Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Fix2001

Aliases: I-Worm.Fix2001, W32/Fix2001, W95.Fix2001, W95.Fix2001

Win32/Fix2001 is a worm spreading as an email file attachment.  The email message has  the subject "Internet problem year 2000." and its body is formed by the following text:

Estimado Cliente:

Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del A?o 2000. Si
Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien puede ser descargado
del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM
Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.

Muchas Gracias.

Administrador.

Internet Customer:

We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM
If you are using another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.

In the attachment is the file fix2001.exe which is 12288 bytes in size.  When it is run the worm gets activated and displays a window with the following message:

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

The worm gets copied into the directory %windir%/System and in the key of the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run it creates the item "Fix2001" with value "FIX2001.EXE".  That ensures activation of the worm after a restart of the operating system.  By doing that its activity is over.  After a restart of the operating system the worm gets activated as a process with the name AMORE_TE_AMO.  By means of this process the worm takes over the control of the library WSOCK32.DLL and tries to get email addresses to which it sends its copy.  The worm checks its integrity and if it finds any alternations in its body it writes over the contents of the hard disk at the next restart.  That will cause an irreparable loss of all data on the hard disk.  In the worm body there are a lot of text strings. Some of them are used when sending out the worm by means of the email and some are not used at all.  An example of such a text string is the text visible at the end of the worm:

THE REAL KEY TO LIVE A HAPPY LIFE, IS: BE A GOOD MAN. PARA CONSEGUIR LA VERDADERA FELICIDAD, SE UN BUEN TIPO.

 

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.