[cut-n-paste from sophos.com]

W32/Ganda-A

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Ganda-A is a worm which spreads by sending itself to email 
addresses collected from EML, HTM*, DBX and WAB files on your computer.

W32/Ganda-A creates two copies of itself in your Windows folder. One 
copy is named scandisk.exe; the other is an EXE file with a name 
consisting of eight randomly-chosen lower-case letters.

W32/Ganda-A sets the following registry entry so that it loads 
automatically every time your computer is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanDisk =
\scandisk.exe

Whilst sending emails, the worm makes an additional copy of itself in 
your Windows folder under the name tmpworm.exe.

W32/Ganda-A scans through RAM, looking for applications which have any 
of the following text strings in memory: virus, firewall, f-secure, 
symantec, mcafee, pc-cillin, trend micro, kaspersky, sophos, norton. 
Processes containing any of the offending strings are terminated. 
Clearly, this is intended to kill off a range of popular security 
products. But it can cause collateral damage: for example, if you have 
a Word document open containing any of the above strings, the worm will 
shut down Word without giving you a chance to save any changes.

W32/Ganda-A infects EXE and SCR files on your hard disk by inserting a 
small loader program which tries to launch a copy of the worm from your 
Windows folder when you close the infected application. Files which are 
modified in this way rely on the original randomly-named worm file 
being present. If you delete the worm files from your Windows folder 
then you will immediately make any modified EXE files uninfectious.

The worm can send emails with several subject line and message text 
combinations, both in English and Swedish.

The English emails can have the following characteristics:

Subject line: Screensaver advice.
Message text: Do you think this screensaver could be considered 
illegal? Would appreciate if you or any one of your friends could check 
it out and answer as soon as humanly possible.

Subject line: Spy pics.
Message text:Here's the screensaver i told you about. It contains 
pictures taken by one of the US spy satellites during one of it's 
missions over iraq. If you want more of these pic's you know where you
can find me. Bye!

Subject line: GO USA !!!!
Message text: This screensaver animates the star spangled banner. 
Please support the US administration in their fight against terror. 
Thanx a lot!

Subject line: G.W Bush animation.
Message text: Here's the animation that the FBI wants to stop. Seems 
like the feds are trying to put an end to peoples right to say what 
they think of the US administration. Have fun!

Subject line: Is USA a UFO?
Message text: Have a look at this screensaver, and then tell me that 
George.W Bush is not an alien. ;-)

Subject line: Is USA always number one?
Message text: Some misguided people actually believe that an american 
life has a greater value than those of other nationalities. Just have 
a look at this pathetic screensaver and then you'll know what i'm 
talking about. All the best.

Subject line: LINUX.
Message text: Are you a windows user who is curious about the linux 
environment? This screensaver gives you a preview of the KDE and GNOME 
desktops. What's more, LINUX is a free system, meaning anyone can 
download it.

Subject line: Nazi propaganda?
Message text: This screensaver has been banned in Germany. It contains 
a number of animated symbols that can be related to the nazi culture. 
What do you think, is it a legitimate ban or not? Please answer asap. 
Thanx!

Subject line: Catlover.
Message text: If you like cats you'll love this screensaver. It's four 
animated kittens running around on the screen. Contact me for more 
clipart. Have fun! ;-)

Subject line: Disgusting propaganda.
Message text: Hello! My 12 year old doughter received this screensaver 
on a CDROM that was sent to her through advertising. I find it 
disturbing that children are now being targets of nazi organizations. 
I would appreciate to hear from you on this matter, as soon as 
possible. Thank you.

In all of these cases the attached file has a random 2-character name 
and an SCR extension (e.g. oc.scr).

The worm also creates entries in the following registry keys:

HKLM\Software\SS\Sent
HKLM\Software\SS\Sent2

W32/Ganda-A sends a rambling diatribe complaining about the Swedish 
education system to a small set of email addresses apparently 
belonging to Swedish journalists. These emails do not contain the worm 
as an attachment.

W32/Ganda-A contains the text:
[WORM.SWEDENSUX] Coded by Uncle Roger in Hõrnsand, Sweden, 03.03. I am 
being discriminated by the swedish schoolsystem. This is a response to 
eight long years of discrimination.




W32/Cult-A

Aliases 
W32.Cult, I-Worm.Cult, W32.HLLW.Cult{at}mm 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Cult-A is a worm and backdoor Trojan.

W32/Cult-A spreads via file sharing on KaZaA networks and by emailing 
itself to random email addresses. The email will have the following 
characteristics:

Subject line: Hi, I sent you an eCard from BlueMountain.com
Message text: To view your eCard, open the attachment If you have any 
comments or questions, please visit 
http://www.bluemountain.com/customer/index.pd
Attached file: BlueMountaineCard.pif

When first run, the worm displays a false error message with the text
"The instruction at 0x776456de referenced memory at 0x6235525g3. The 
memory could not be read Click on OK to terminate the application", 
copies itself to the Windows System folder as winupdate.exe and 
creates the following registry entry so that winupdate.exe is run 
automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update
= winupdate.exe

The worm creates the folder %System%\Kazaa\, copies itself to this 
folder as DivX 5.03 Codecs.exe, Download accelarator.exe, PaintShop 
Pro 7 Crack_By_Force.exe, SMS_sender.exe and ZoneAlarm Pro KeyGen.exe 
and creates the following registry entry so that the %System%\Kazaa\ 
folder is shareable on Kazaa networks:

HKCU\Software\Kazaa\LocalContent\Dir0 = 012345:C:\WINDOWS\SYSTEM\kazaa\

W32/Cult-A allows a remote intruder to access and control the computer 
via IRC channels.

When run, W32/Cult-A tries to connect to a remote IRC server and join a 
specific channel. W32/Cult-A then runs in the background as a server 
process, listening for commands to execute.

The worm also creates several registry entries under
HKLM\Software\Microsoft\WDXDriver to store encrypted IRC server 
addresses.





W32/Deborm-R

Aliases 
MultiDropper-FL, Worm.Win32.Deborm.r, Win32/Nebiwo.B, W32.HLLW.Nebiwo 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this 
worm from the wild.

Description
W32/Deborm-R is a network worm which carries and installs Trojans. 
When run, the worm searches for shares named C or C$ on the local IP 
subnet that have no password. If a share is found the worm will attempt 
to copy itself to one of the following folders in the share:

Windows\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
Winnt\Profiles\All Users\Start Menu\Programs\Startup

W32/Deborm-R will attempt to install the Trojans Troj/Litmus-203, 
Troj/Sdbot-Fam and Troj/KillAV-Q.

The worm also adds the following registry entry, containing the name of 
the worm file so that it is run each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Live Update





W32/Oror-T

Aliases 
I-Worm/Roron.51, W32/Oror.gen.a{at}MM 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this 
worm from the wild.

Description
W32/Oror-T is a variant of the W32/Oror family of internet worms. 
Please refer to the description of W32/Oror-R for more detail.





W32/Bibrog-B

Aliases 
W32/BIBROG.C{at}MM, I-Worm.Academia 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this 
worm from the wild.

Description
W32/Bibrog-B arrives in an email with the following characteristics:

Subject line: Fwd:La Academia Azteca
Message text: La cacademia azteca (muy bueno) no es virus!
Attached file: academia.exe

When the worm is first executed a game is activated for the user to 
play.

La Cacademia, Tienes 18 balas Score: 0

At the same time the worm is copied to
C:\\manzana.exe,
C:\\academia.exe,
C:\\itch.exe and
C:\\itcj.exe

When Windows next starts up the worm will be activated, causing it to 
email contacts in the victim's Outlook address book.

W32/Bibrog-B drops two BMP files, osiris.bmp and quiettime.bmp. The two 
files are alternately used as the backdrop for the Windows Desktop 
each time Windows starts up.

Windows Desktop backdrop

Windows Desktop backdrop

W32/Bibrog-B attempts to create copies of the worm in the shared 
folders of the KaZaA, Grokster and Morpheus peer-to-peer applications. 
The same files will also be copied to the shared folder of the ICQ 
messaging application.

The following five HTM files are dropped to the My Documents folder:
acafug.htm
citibank.htm
hotmail.htm
msn.htm
yahoo.htm

The latter four of these HTM files are faked versions of genuine 
internet pages that contain a form for login into a service. 
Information entered into the login form of any of these fake pages 
will cause the details to be sent to the attacker.

The worm monitors the address window of Internet Explorer and if 
certain addresses are found then one of the above files will be 
substituted in place of the real address. The following substitutions 
will occur:

http://hotmail.passport.com to \hotmail.htm
http://mail.yahoo.com to \yahoo.htm
http://www.citibank.com/us/cards/ to \citibank.htm
http://www.fbi.gov to \acafug.htm
http://login.passport.net to \msn.net
http://loginnet.passport.net to \hotmail.htm

Additionally the following substitution will occur however the 
substitute address appears to be no longer available:

http://send.greetings.yahoo.com to http://www.cjd.itesm.mx





W32/Nicehello-A

Aliases 
I-Worm.Nicehello, Win32/NiceDay.A, W32.Nicehello{at}mm 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Nicehello-A is a worm that arrives in an email with one of the 
following sets of characteristics:

Subject line: Codigo fuente
Message text: Hola, te mando el codigo fuente que te prometi, esta 
comprimido; ya sabes esto es solo para vos!!. Saludos
Attached file: condigo.exe

Subject line: Mis primeras animaciones
Message text: Te mando la primera animacion en flash sobre nuestros 
amigos; espero tus comentarios, recuerda que es solo para vos
Attached file: animacion.exe

Subject line: parche
Message text: El parche del programa que me pediste. Cualquier cosa 
estoy para ayudarte. recuerda que es solo para vos
Attached file: parche.exe

Subject line: Actualizacion de programa
Message text: Recien puedo enviarte la actualizacion, es que tuve mucho 
trabajo, recuerda que es solo para vos
Attached file: actualizacion.exe

Subject line: Datos ultimo trimistre
Message text: Los datos del ultimo trimestre esta en el archivo 
adjunto, estan comprimidos, recuerda que es solo para vos
Attached file: datos.exe

Subject line: Presentaciones PowerPoint
Message text: Las presentaciones en power point que tenia que
mandarte, estan comprimidas en el archivo adjunto, recuerda que es 
solo para vos
Attached file: presentaciones.exe

Subject line: ahora el juego va a funcionar
Message text: El parche para el juego que mas te gusta, esta 
comprimido, recuerda que es solo para vos
Attached file: parchejuego.exe

Subject line: Fotos ultima fiesta
Message text: Hola, como estas, te mando las fotos de la ultima fiesta, 
por cierto tienes una cara!!!. , recuerda que es solo para vos. bye
Attached file: fotos.exe

Subject line: Video de la ultima reunion de amigos, recuerda que es 
solo para vos
Message text: Hola, te mando el video de la ultima fiesta, no se ve 
muy bien pero algo es algo, recuerda que es solo para vos
Attached file: video.exe

Subject line: Animaciones en flash de nuestros politicos
Message text: Mira las animaciones sobre la clase politica del pais, 
recuerda que es solo para vos
Attached file: politicos.exe

When the worm is first run a copy is intended to be created in the 
folder C:\Windows\system or C:\winnt\system32 with the filename 
sys64dvr.exe. A bug will cause the worm to be copied to 
C:\Windows\systemsys64dvr.exe or C:\winnt\system32sys64dvr instead.

The following registry entry will be created to run the worm when 
Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System 64 Driver for Games = sys64dvr.exe

Since the worm is not copied to the correct location the worm will not 
be run when Windows starts up.

W32/Nicehello-A sends an email to the attacker with details of the 
victim's MSN account.

W32/Nicehello-A displays a message box containing the text "Microsoft 
Windows XP or greater required!"





W32/Yaha-R

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this 
worm from the wild.

Description
W32/Yaha-R is a worm from the Yaha family.

W32/Yaha-R shares many of the characteristics of W32/Yaha-Q.

However, W32/Yaha-R stores itself on your hard disk under different 
file names to those used by the -Q variant. W32/Yaha-R places the files 
wintask32.exe and exeloader.exe into your system folder. (The -Q 
variant uses the names mstask32.exe and exeloader.exe.)





W32/Lovgate-A

Aliases 
WORM_LOVGATE.A 

Type 
Win32 worm 

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Lovgate-A is a worm and backdoor Trojan. The worm spreads across 
the local network by copying itself into folders with the following 
names:

billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe

W32/Lovgate-A also attempts to spread via email by sending itself to 
email addresses collected from *.ht* files. Emails sent to these 
addresses will have the following characteristics:

Subject: Documents
Message body: Send me your comments...
Attached file: Docs.exe

Subject: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe

Subject: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe

Subject: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe

Subject: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe

Subject: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe

Subject: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe

Subject: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe

Subject: The patch
Message body: I think all will work fine.
Attached file: Patch.exe

Subject: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe

The worm also attempts to reply to emails found in the user's inbox.
The worm uses the following attachment names for these emails:

billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe

W32/Lovgate-A copies itself into the Windows system folder as 
rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and 
sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module Call 
initialize = "RUNDLL32.EXE reg.dll ondll_reg"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "\syshelp.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize = 
"\WinGate.exe -remoteshell"

HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"

On Windows NT the worm drops the files ily.dll, task.dll, reg.dll and 
win32vxd.dll into the Windows system folder. These files are also 
detected as W32/Lovgate-A.

W32/Lovgate-A is also a backdoor Trojan that provides an attacker with 
unauthorized access to the user's computer and can send notification 
email messages to the attacker.





W32/Yaha-Q

Aliases 
W32.Yaha.P{at}mm, I-Worm.Lentin.n 

Type
Win32 worm 

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Yaha-Q is a worm that most commonly arrives in an email, but may 
also find its way on to a computer via network shared drives.

The email that the worm arrives in can have any one of a very large 
selection of subject lines and message texts. The email may also be
spoofed meaning, that it may not necessarily have arrived from the 
sender listed in the "From" field of the user's email client.

W32/Yaha-Q copies itself to the files exeloader.exe and mstask32.exe 
in the Windows system folder.

The following registry entries will be created to start the worm when 
Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MicrosoftServiceManager = \mstask32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MicrosoftServiceManager = \mstask32.exe

The registry entry HKCR\exefile\shell\open\command will be updated so 
that the copy of the worm exeloader.exe is run whenever an EXE file is 
executed.

W32/Yaha-Q contains a long list of anti-virus, windows management and 
security applications whose processes are terminated if they are found 
to be running. The worm will also terminate any process that have an 
associated window with the any of the following titles:
Windows Task Manager
System Configuration Utility
Registry Editor
Process Viewer

HKLM\Software\Microsoft\Windows\CurrentVersion\ZoneCheck will be set to 
any of the following web sites:
pakistan.gov.pk
paki.com
pcb.gov.pk
comsats.com
kse.com.pk

The registry entry HKLM\Software\Microsoft\Snakes will be created and 
will contain the values Author, Comments, Version and Web.

W32/Yaha-Q will carry out the following four operations when executed 
on a Wednesday:

1) Modify the Internet Explorer start page via the registry entry
HKU\Software\Microsoft\Internet Explorer\Main\Start Page. The new start 
page will be http://www.indiansnakes.cjb.net.

2) Append a link to the web site http://www.indiansnakes.cjb.net to all 
HTM and HTML files found in the folder inetpub/wwwroot/.

3) Spread to network shares.

4) Create a randomly named text file in the Windows folder containing 
any one of the following five blocks of text:

iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00 ...

"=================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
------------------------
sNAkE p0iSoN wiLL fUCk pAKIs
n0w wE aRe a tEAm..
bEWarE oF tHe p0iSoN oF tHe snAKeS..

bACK oFF paKI hAckERs,uR dAyS aRe oVeR..
pAkIsTaN's IT fUtuRe iS iN uR hANd..
U sToP..wE sToP..

u sTarTeD.. wE fInIshED...
=================================================

bY R0xx,c0bra,dEviL inCArNatE
visIT uS : http://indiansnakes.cjb.net"


"=================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
---------------------------
thiS iS juST thE begiNNinG..
s00000 mUcH t0 c0mE..
n0 moRe pAK shiT wiLL be toleRATeD..
tiME f0r somE payBACK..

thERe iS nothING likE teAM w0rk..

iNDiAN snAKeS wiTH hARD p0iSoN..
wE wiLL bE BACk....
=================================================
 iNDiAn snAKeS 
* c0Bra
* R0xx
* kiNG c0Bra
* snaKeEyEs
* dEViL inCARnATe

http://indiansnakes.cjb.net"


"=================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
-------------------------
iNdIaN IT exPeRTs.. aRe u bUSy eArNiNg m0nEy ???
d0 s0mEthInG f0r uR c0untRY yaaaaar...
c0mE aNd w0rK wIth uS..

bUt hEy wE aInT aNy IT eXpeRTs.. wHy ???
bEcAuSE wE d0nT hAvE ceRtiFicAtEs wHiCh u hAvE b0ugHt..

aLL wE aRe... wE aRe tHe gReAt iNdiAnS
d0 u tHinK wE aRe g00d..
tHeN d0 a faVouR f0R uS.. juSt rEspEcT uS..
aND exPLaiN t0 uS.. whY u R n0t rEtaLiaTinG t0 pAkI hAckErS..

n0 0thEr sHiTs nEEdEd..
----------------------------------------------------------
R0xx 
c0bra 
dEviL inCaRnaTE 
==================================================
http://www.indiansnakes.cjb.net"


"========================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
------------------------
to gigabyte :: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux 
is.. lolz ;)

to Mr Roger Thompson ::
| [technical director of malicious code research for TruSecure Corp]
| --------------------------------------------------------------
| wE arE n0t p0litiCaLy m0tiVatEd sIr...
| wE aRe jUsT rEtaLiaTinG t0 pAkI hAckErS aNd tHeiR sHiT hAcktIviSm..
| hahha Yaha.K suCCessfuLL by lUck ??? eVeR heARd s0meThinG liKe thiS
| a w0rM maDe anD spReaD bY luCk...hehehe lolz..
| aNd fiNallY wE kn0w dAmN weLL wHaT tHe heLL wE aRe doinG...
| thE w0rlD pUshEd uS to tHe dArK siDe..cAnT hElp iT.. no reTReaT no 
suRRenDeR
| --------------------------------------------------------------

=========================================================

bY R0xx ,c0bra,dEviL inCArNatE
viSIt uS : http://indiansnakes.cjb.net"


"==============================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs..
------------------------------------------
ab0uT Yaha 2.00 :
maIn miSsIon iS t0 dd0s 5 paKi weBshits..
fuCk paKi sYstEmS bY sEndinG eXploitEd daTa pAckeTs..

deDIcaTed to :
* Trend Micro Corp ( f0r exceLLeNT anaLYsiS lolz ;) )
* Klez auTHoR
* SQL Slammer auTHoR
* inDIan haCKeRs & VXeRs
* inDiAn s0 caLLeD IT eXpeRTs
* pe0pLeS wh0 fiGHt agAINsT coRRupti0n ( i guEss itS alm0st NULL )
* aLL mEmbERs of iNDiAn sNAKeS
* t0 mY bEsT friENd

thIs iS a waR beTweeN inDia & paK hAckeRS..
n0 c0untrY shouLD gEt inVolvEd..
------------------------------------------
> R0xx >
http://www.indiasnakes.cjb.net
"





W32/Deloder-A

Type 
Win32 worm 

Detection 
Sophos has received several reports of this worm from the wild.

Description
W32/Deloder-A is a network worm which spreads to random IP addresses 
and installs a backdoor Trojan.

When first run, the worm drops the files Psexec.exe and inst.exe to the 
current folder and creates the following registry entry so that the 
worm executable is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\messnger
= 

The worm attempts to connect to port 445 of target computers which is 
the NetBIOS port for Windows 2000 and XP, hence the worm is only likely 
to spread to computers running Windows 2000 or XP.

W32/Deloder-A copies itself to shares on the remote computer as 
Dvldr32.exe and tries to install a backdoor Trojan component inst.exe 
to the startup folders

C$\WINNT\All Users\Start Menu\Programs\Startup\,
C\WINDOWS\Start Menu\Programs\Startup\ and
C$\Documents and Settings\All Users\Start Menu\Programs\Startup\
inst.exe, so that inst.exe is run automatically each time the target 
computer is restarted.

W32/Deloder-A queries the remote computer for a valid username and then
attempts to logon using a brute force method to crack the password. 
This involves trying a list of common 'weak' passwords.

If the worm is unable to get a valid username it attempts to logon via 
the IPC$ share.

The worm uses the valid utility Psexec.exe to remotely set the
attributes for inst.exe and Dvldr32.exe to read-only, to launch 
inst.exe and Dvldr32.exe and to disable the network shares C$, D$, E$, 
F$, IPC$ and ADMIN$.

When run, the backdoor component inst.exe drops the files explorer.exe,
VNCHooks.dll, omnithread_rt.dll and rundll32.exe to the Fonts folder 
and cygwin1.dll to the System32 folder and creates the following 
registry entries so that both explorer.exe and rundll32.exe are run 
automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
%Fonts%\explorer.exe and
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMan =
%Fonts%\rundll32.exe,

%Fonts%\rundll32.exe is a backdoor Trojan which allows unauthorized 
access to the computer via IRC channels.

Each time %Fonts%\rundll32.exe is run the Trojan tries to connect to a 
remote IRC server and join a specific channel.

%Fonts%\rundll32.exe then runs in the background as a server process, 
listening for commands to execute.

%Fonts%\explorer.exe is the valid application 'VNC server for Win32'.

The worm will only run on Windows 2000 and XP operating systems, but 
the backdoor components will also run on Win9x and Windows NT.

 
--- MultiMail/Win32 v0.43