The worm adds it self to the registry under the following keys where the value is the location of the virus. So that each time you start the computer it runs the virus:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
It also copies it self to the to windows directory under the name
winmgm32.exe
The worm sends email to all the email addresses it finds in files with theses endings:
.WAB
.DBX
.HML
.HTML
.EML
.TXT
The email is constructed from these parts
The from address is:
big@boss.com
The subject is randomnly chosen from this list
Re: Here is that sample
Re: Document
Re: Sample
Re: Movies
The name of the attached file is chosen from the following lists:
Sample.pif
Untitled1.pif
Document003.pif
Movie_0074.mpeg.pif
The worm also looks for network shares and tries to copy itself to these directories:
Windows\All Users\Start\Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup
| 