This is an Internet worm spreading with emails by sending infected messages from infected computers. While spreading the worm uses MS Outlook and sends itself to all addresses that are stored in MS Outlook Address Book.

The worm itself is Win32 application written in VisualBasic. The worm code
  seems to be based on "I-Worm.LoveLetter" VBS worm (the worm routines
 and their names look very similar to "Loveletter" ones), and its seems that
  this worm was created by adapting "Loveletter" VBS source to VisualBasic
  language.

When run (if a user clicks on attached infected file) the worm sends its
 copies by email, installs itself into the system and performs destructive
  actions.

The worm sends itself as email messages with attached EXE file, that is the
 worm itself.
 
 

                        The message has:

                             The Subject: My baby pic !!!
                             Message body: Its my animated baby picture !!
                             Attached file name: mybabypic.exe

Being activated by a user (by double click on attached file) the worm opens
 MS Outlook, gets access to the Address Book, gets all addresses from
 there and sends messages with its attached copy to all of them. The
  message subject, body and attached file name are the same as above.

The worm also installs itself into the system. It creates its copies in
 Windows system directory with the names:

WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE,
 CMD.EXE, COMMAND.EXE

and registered in Windows auto-run section in system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic
= %WinSystem%\mybabypic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32
 = %WinSystem%\WINKernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
= %WinSystem%\Win32DLL.exe

where %WinSystem% is Windows system directory. As a result the worm
 is re-activated each time Windows boots up.

The worm also creates the registry key:

                             HKCU\Software\Bugger
                             Default = HACK[2K]
                             mailed = %number%

where %number% is a number from 0 to 3 and depends on the process the
worm is currently performing or done: installing, spreading, activating its
  payload routine.

The payload routine is quite a large. Depending on the system date and time
 the worm:

                             switches on/off NumLock, CapLock and ScrollLock keys
                             sends to keyboard buffer the message:
                                  .IM_BESIDES_YOU_

                             connects the http://www.youvebeenhack.com site and sends one of
                             texts to there:
                                  FROM BUGGER
                                  HAPPY VALENTINES DAY FROM BUGGER
                                  HAPPY HALLOWEEN FROM BUGGER

The worm also corrupts and/or affects other files. It scans subdirectory trees on all available drives, lists all files there and depending on filename extension performs the following actions:

VBS, VBE: the worm destroys the contents these files.

JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm creates a new file with original filename plus ".EXE" extension and copies its body to there, and then deletes original file, i.e. the worm overwrites these files with its code and renames them with EXE extension. For example, "TEST.CPP" becomes "TEST.EXE".

JPG, JPEG: the worm does the same as above, but adds ".EXE" extension to the full file name (does not rename to ".EXE"). For example, "PIC1.JPG" becomes "PIC1.JPG.EXE".

MP2, MP3, M3U: the worm creates a new file with ".EXE" extension (for "SONG.MP2" the worm creates the
"SONG.MP2.EXE" file), writes its code there and sets the file attribute "hidden" for the original file.

Return to Virus Alert 55

18-20, MSIDA ROAD,
GZIRA. GZR 1401.
MALTA.

E-MAIL CONTACTS:Sales|Technical Support|Managing Director|CEO|Webmaster|