This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
Existence of any of the file names mentioned above, which is also distributed by email, existence of the file RUNDLL32.VBS in the Windows folder, email propagation as mentioned above.
Methods of Infection
If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.
When the worm is first run it drops copies of itself in the file "C:\WINDOWS\RUNDLL32.VBS".
It also adds this registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
in order to run the worm at system startup.
The worm changes the name of the registered owner of the system to "FireburN" by changing this registry key:
The worm also creates a copy of itself in the WINDOWS folder using one of the following file names picked at random (one file name contains expletive word which has been censored):
If the mIRC client is installed on the users system, the worm overwrites the file SCRIPT.INI in order to propogate via mIRC sessions. The script also creates another copy of the worm in the WINDOWS\SYSTEM folder, under the random name as above.
The worm's payload contains a check for the date of 20th June. On this day the worm displays a message box with the title "FireburN", containing the message:
"I'm proud to say that you are infected by FireburN !"
It also disables the mouse and keyboard by adding the following 2 registry keys: