Select countryLysaker, 9 May 2001
The data security company Norman warns against a new massmailer worm and has several reports of this encrypted VBS e-mail worm. As usual it sends itself to all addresses in all address books in Outlook. The worm has a minimal payload that randomly opens a browser window to one out of four sex-oriented web pages.
The worm started its spread in Europe in the early morning hours, and has since shown an ability to spread very fast.
The email has this subject and body:
Subject: Homepage Body: Hi! You've got to see this page! It's really cool ;O) Attachment name: Homepage.HTML.vbs
The mass mail routine will normally be executed only once. To keep track on that the worm will create a registry key HKCU\software\an\mailed and set this to 1 the first time its mass mail routine is executed. This indicates that the mass mail routine already has been executed and if a new infected file is executed at the same machine the mass mail routine will not be executed again.
The worm has a minimal, non-destructive payload that randomly opens a browser window to one out of four sex-oriented web pages. However, the worm's spreading activity may overload e-mail servers.
Norman Virus Control with definitions files from May 9th or later detects and removes this worm. Users are encouraged to update their Norman Virus Control protection to the most recent version. More information on www.norman.com
For further information please contact:
Bjørn Windfeldt, VP Marketing Norman ASA, Tel.: +47-67-10-97-76, Mob.: +47-41-53-97-76