|
The worm appends itself as a
signature to the end of legitimate outgoing messages . When
receiving the message, the worm will automatically insert
a copy of itself into the appropriate StartUp folder for both
English and French language versions.The copy is named Day.hta.
The worm uses a known Microsoft
Outlook Express security hole, Scriptlet.Typelib, so that
a viral file is created on the system without having to run
any attachment. Simply reading the email message will cause
the virus to be placed on the system.
If you have a patched version
of Outlook Express, this worm will not work automatically.
.hta files are executed by current
versions of Microsoft Internet Explorer and Netscape Navigator.
The computer must be restarted for this file to be executed.
Once executed, the worm modifies the registry key
HKEY_CURRENT_USER/Identities//Software/
Microsoft/Outlook/Express/5.0/signatures
to add its own signature file,
which is the infected Day.hta file. This causes all outgoing
mail to be infected by the worm. In addition, the registry
key
HKEY_LOCAL_MACHINE/Software/Microsoft/
Windows/CurrentVersion/Run/cDays
is added, which causes the worm
to be executed each time that the computer is restarted.
Finally, if it is the first
of the month and the hour is 17 (5:00 P.M.), the following
message is displayed:
Days It was a day to be a days!
and Windows is shut down.
|
