From
Here
# Beautiful Ass.pif
# John Kerry as Super Chicken.scr
# Kool.pif
# Me & you pic!.pif
# Me Pissed!.pif
# sexy.pif
# She Could Fit her Ass in a Teacup.pif
# she's ****in fit.pif
# titanic2.jpg.pif
It creates the following registry entries to run at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
%Random% = "C:\WINNT\System32\Isass.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
%Random% = "C:\WINNT\System32\Isass.exe"
The variable %Random% may be any of the following strings:
* Anti
* Isass
* NvMsnW
Propagation Routine
This worm propagates using MSN Messenger, a popular chat program. It sends a copy of itself using any of the file names listed earlier, which were dropped in the root folder.
Payload
This worm is capable of disabling the right-click feature of the mouse. It can also prevent the system from loading the following system applications:
* REGEDIT.EXE
* TASKMGR.EXE
This worm also drops the file l0l_53xy_l0l.html in the current folder where it is executed. When run, this HTML file attempts to connect to the following Web sites in order to display an image:
* http://counter.rapidcounter.com/coun<BLOCKED>/1107713659/bbldotg
* http://www.freewebs.com/lol_<BLOCKED>_you_lol/l0l_53xy_l0l.jpg
As of this writing, the said sites are inaccessible.
Other Details
This worm runs on Windows 98, ME, NT, 2000, and XP.