28160 bytes (~ 61 KB when unpacked)
- the file Warm.scr in the Windows folder;
- the registry entry HKLM \Software\Microsoft\Windows\CurrentVersion\Run\ExeName32 pointing to that file;
- this picture displayed while the virus is running (at every start-up, for example):
Close the window with the picture; delete the file and the registy entry in the Symptoms section).
Let BitDefender delete infected files.
Bogdan Dragu BitDefender Virus Researcher
This worm is written in Visual Basic and packed with UPX; it embeds the picture above in JPEG format. It arrives in an email in the following format:
Fw: When It´s Cold Outside She Gives Me Warm Inside [whitespaces] [random characters]
Re: When It´s Cold Outside She Gives Me Warm Inside [whitespaces] [random characters]
You will love this cute picture. or Enjoy this great picture. or Don´t miss this cool picture.
============= Free Online Virus Scan =============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file.
Attachment:[the random characters in the Subject line][random digits].scr
When run, it copies itself as Worm.scr in the Windows folder and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ExeName32 so that Windows runs the worm at every start-up.
It uses Outlook to send identical emails in the format above to:
- the user's contacts in the Address Book;
- email addresses found in .htm/.html files in the folder pointed to by the registry entry HKCU\Software\Microsoft\Internet Explorer\Main\Save Directory;
- contacts found in .ctt files in My Documents.
(It creates a copy of itself in the Windows folder with the random name used for the attachment in order to create the email messages.)
The emails are enqueued in Outlook's Outbox; after being sent, they are deleted.