This worm was written in Visual Basic 5.0 and it is a minor variant to the earlier discovered W32/Mypics.worm. This worm also has a reliance on the library file MSVBVM50.DLL. Without this file, the program will error. This file will copy itself to the local machine as C:\zip01.exe and register itself to run from the registry at system startup from either of these locations, depending on if the operating system is Windows 9x or NT:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Agent5 = c:\zip01.exe
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Run Agent5 = c:\zip01.exe
While the file runs as a task in memory, it is performing two functions. One function is to spread via an email routine while the other is a monitor for the system clock to reach the 17th of any month and activate the destructive file deletion routine. This worm has also disabled the "CTRL-ALT-DEL" option to bring up the task list to avoid closing the task. The best method to start Windows without the task is to start in safe mode.
This worm uses MS Outlook email for distribution, if executed, using email recipients listed in the Outlook address book. Emails created by this worm contain no subject line, and only the message as listed below - the email message has the attached file "Video.exe" with a size of 25,600 bytes:
Here's a digital video for you
The icon of the email attachment resembles Winzip. The file is not a Winzip file however. Winzip when installed by default will add a shell extension to the right-mouse click. If you right-mouse click on true zip archive files, you will have an option to open the file using Winzip.
If MS Outlook is logged off and closed for at least 10 minutes then logged back on, the email routine is activated again. In AVERT testing on a Windows 95 client with MS Outlook installed and only using the "Personal Address Boo