Miss World’s Photos Hide a Dangerous Internet-Worm

Cambridge, United Kingdom, June 6, 2001 – Kaspersky Labs, an international data-security software-development company, warns about the discovery of a new extremely dangerous Internet-worm “I-Worm.MsWorld”.

Up to date Kaspersky Lab has received just several reports of the worm from the wild. However, users are advised to carefully read the worm’s description that will assist them to avoid its further spreading.

“MsWorld” is a Windows-application about 130Kb size written in Visual Basic programming language with embedded Macromedia Flash modules. The worm spreads in attached files via e-mail by using the widely-used MS Outlook e-mail program. The infected messages look as follows:

see http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=195&page=0

It is important to note that the infected file’s name can be different. Initially the worm’s filename is MWORLD.EXE. However, “MsWorld” allows malicious persons to change the name and it will not affect the worm’s operability: it will still be able to spread, but with another filename.

After the infected file is executed the worm sequentially displays the following images:

see http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=195&page=0

Then “MsWorld” initiates the mass mailing routine. It gets access to the MS Outlook address book, reads the first 50 e-mail addresses from here and unbeknownst to the user sends out its copies there.

Then the worm modifies the AUTOEXEC.BAT file by adding a set of commands. During the next PC boot up they will display the message:

This Everything for my Girl Friend………, (CatEyes, KRSSL, SS Hostel)

And then format all system disks.

“MsWorld” also tries to delete the Windows system registry files: SYSTEM.DAT, SYSTEM.DA0, USER.DAT, USER.DA0. Thanks to the built-in protection for the .DAT files it is only successful to delete their copies, i.e. .DA0 files.

Protection against the “MsWorld” worm already has been added to the upcoming daily update of Kaspersky Anti-Virus.




Share this