This worm functions much the same way that JS/Kak.worm does. AVERT recommends installing the security patch from Microsoft
Like JS/Kak.worm, a dangerous aspect of this Internet worm is its ability to continuously re-infect yourself if the preview pane is enabled and you browse between folders specifically the "sent" folder which happens to contain the Internet worm within a message. This is another strong reason to update to the security patch.
This worm uses VBScript and an ActiveX component, called "Scriptlet Typelib", to propagate itself through email using MS Outlook Express.
When an e-mail or newsgroup message infected by this worm is opened by a reader which supports VBScript in HTML, the writes the Update.hta file to the Startup folder of the local machine. This will launch the code embedded in the HTA file at the next Windows startup. Microsoft has published a security update which addresses this ActiveX exploit and users are encouraged to update their systems with this component. With this update installed, users are questioned if they wish to run the ActiveX control which "might be unsafe".
For more details on this vulnerability and to obtain a patch from Microsoft, see this link:
Microsoft Security Bulletin
For current security bulletins from Microsoft, see this link:
Email messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the worm code and it is allowed to run, then this file is written to the local machine:
The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\OUT.HTML" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included.
A value is added to the registry: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Note - The "C:\WINDOWS\OUT.HTA" file is only created on the French version of Windows 9x.
For the French versions of Windows 9x:
- Writes a copy of itself to "c:\windows\menu démarrer\programmes\démarrage\tam.hta"
- When "TAM.HTA" is ran at startup, "C:\OUT.HTA" is created.
- On August 30, a message is displayed:
Bon Anniversaire Lac !!!
This box will reappear after "OK" is clicked. On the 5th click, this message appears:
KOI??? Ca t'interresse pas?
Tu n'es pas digne du monde informatique.
BYE-BYEClicking OK to this message results in your computer shutting down.