. "This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++. Infected messages appear as follows: The worm activates from infected e-mail only when a user double-clicks on the attached file. The worm then installs itself to the system and runs a spreading routine. While installing, the worm copies itself to: c:egctrl.exe - under Win9x/MEc:ecycledegctrl.exe - under WinNT/2K/XP and spawns this copy. When the worm's file name is not \".com\" (as in the attachment), but rather \".exe\" (the worm is re-named), it also opens the Web page \"\". The original file (as it was run from an infected e-mail) is moved to the Recylced or Recycler directory with one of the following names: C:\\RECYCLER\\F-%1-%2-%3C:\\RECYCLED\\F-%1-%2-%3where %1, %2, %3 are randomly selected numbers, for example: F-12158-19044-21300F-27729-23255-31008While installing, the worm checks the keyboard layouot set, and when there is Russian keyboard support, the worm copies itself to Recycled/Recycler in the same way and exits. This is the same on any date except for 25\u201329 January 2002. As a result, the worm works only from 25 until 29 January 2002, and only on machines without Russian keyboard support. To send infected messages, the worm uses a direct SMTP connection to an e-mail server. To obtain a victim's e-mail addresses, the worm scans WAB files (Windows Address Book) and *.DBX files (Outlook Express). The worm also sends one e-mail (without an attachment) to \"napster@gala.net\". Under WinNT/2000/... the worm also creates a new file in a user's auto-run directory: %Userprofile%\\Start Menu\\Programs\\Startup\\msstask.exeand writes a backdoor program to there. This backdoor is run by data that are stored in a file at the Web site \"\". This one is a slightly modified 'a' version. The differences are: The attached file name is \"myparty.photos.yahoo.com\"."@en . . "Myparty"@en . "This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++. Infected messages appear as follows: The worm activates from infected e-mail only when a user double-clicks on the attached file. The worm then installs itself to the system and runs a spreading routine. While installing, the worm copies itself to: c:egctrl.exe - under Win9x/MEc:ecycledegctrl.exe - under WinNT/2K/XP"@en . . . . . . . . . .