The following has been derived from information provided by Network Associates, Command, F-Secure, and Computer Associates.

Virus Characteristics

VBS/CoolNote.worm is a VBScript worm partially based on the code of VBS/Loveletter.worm. It will arrive as an email with the following format:

Subject line: Cool Notepad Demo
Body text: Hey check out this text file I sent it will do something neat in notepad.
Enjoy :-)
Attachment name: COOL_NOTEPAD_DEMO.TXT.vbs

This worm may arrive by either IRC channel or by e-mail. If the worm is executed, it will copy itself to the local system in the Windows\System folder as "COOL_NOTEPAD_DEMO.TXT.vbs".

CoolNote modifies the system registry in order to load at Windows startup as follows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
COOL_NOTEPAD_DEMO=[path]COOL_NOTEPAD_DEMO.TXT.vbs

In the above key, "[path]" is the Windows\system folder name.

Unlike the LoveLetter worm, CoolNote does not create a .HTM file to send over IRC. Instead the same .vbs file that is sent through e-mail is sent via IRC. If "c:\mirc\mirc.ini" exists, the worm creates "C:\mirc\script.ini". If the file "script.ini" exists in the folder c:\mirc, it is modified to distribute the VBS worm when connecting to IRC channels.

Finally, this worm will send itself to all entries in the victim's address book.


Payload

The worm adds a registry key that will hide the desktop after the system is restarted:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop

This worm has the potential to cause mail servers to become overloaded by a huge volume of infected e-mail.


Additional Information

The following comments are never displayed:

' COOL_NOTEPAD_DEMO VBS virus - by VxF
' This will scan as a LoveLetter Variant which it kinda is but this is
' my first VBS virus I ever made which I used to study and learn some of
' the common functions used to create viruses using VBS.
' Beginning of code