This worm arrives as an email with one of several attachment names and a combination of two appended extensions.
The list of possible file names is:
The first extension that is appended to the file name is one of the following:
The second extension that is appended to the file name is one of the following:
The resulting file name would look something like this:
When executed, this worm copies itself as kernel32.exe in the "\windows\system" directory. It then adds the following registry value:
-------- Original Message -----From: Shiu M. HungTo: AllianceSent: Sunday, November 25, 2001 5:10 PMSubject: [alliance] virusHi everyone,I just thought i better give everyone on this list a forewarning. I have received 2 messages today from Carol Spooner that had viruses attached and have confirmed with Carol herself that she did not send them. She stated someone else is using her email address to carry out this dirty tricks.Shiu---