Every Thursday the worm regenerates the new address list that stores in the ICMAIL.DLL file in the Windows System directory.
This worm sends itself with the following subject lines:
Hello
For you
Try it
Re:
and the following bodies:
Hi
Here is what you asked, bye.
Hello
Maybe you could help me with this, bye.
Hello
Now you can try it, bye.
The following names are given to the worm's attachment:
HGAME.EXE
MININET.EXE
NETAV.EXE
Subject, body and attachment name are selected randomly from the above given list.
When the worm is first started it shows a fake error message:
This file does not work on this system"
And then it installs itself to system. It copies itself to Windows System Directory as 'NETAV.EXE' file. Then it adds the path of that file to the System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NETAV Agent]
This way the worm starts during all Windows sessions.
| 