This threat is detected as VBS/Generic@MM with the 4141 DATs or newer. It arrives via Internet Relay Chat, or in an email message containing the following information:
||Outlook Express Update|
||MSNSofware Co. |
Opening the attachment infects the local system. The worm sends itself to all Microsoft Outlook Contacts and Windows Address Book entries using MAPI. Copies of the worm are created using different formats:
- %drive letter%\Start Menu\Programs\StartUp\msoe.hta (on network drives)
The C:\AUTOEXEC.BAT file is over written with Echo y|format c:
All SCRIPT.INI files are overwritten with mIRC script commands to send the virus to others when they join a channel that an infected user is on. All .ASP, .HTM, and .HTML files are overwritten with the virus code. The content of all other files is deleted if the day is 1,5,10,15, or 20, leaving them with 0 bytes of data.
The following registry keys are created: