The following has been derived from information provided by NAI and Symantec.

Virus Characteristics

This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), and the Windows Address Book (.WAB file). It arrives as an email with the following characteristics:

Subject: Re: Your password!

Body: ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

Attachments:
decrypt-password.exe (35,840 bytes)
password.txt (31 bytes)

The worm exploits the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2) to automatically execute the virus on vulnerable systems. The .exe file copies itself to the following location:

\START MENU\PROGRAMS\STARTUP\SETUP.EXE

The default SMTP Server, SMTP Email Address, and SMTP Display Name are gathered from the Internet Account Manager:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

This information is used by the worm to carry out its propagation routine.


Payload

Mass Mailing routine.
The existence of the file, Setup.exe in the following location:

\START MENU\PROGRAMS\STARTUP\


Preventative Measures

Since the email message does not change, it can be stopped at the internet email gateway by blocking all messages which have the following characteristics:

Subject: Re: Your password!

Attachments:
decrypt-password.exe (35,840 bytes)
password.txt (31 bytes)


Fixes Available

Network Associates:
Minimum Dat: 4207
Minimum Engine: 4.0.70
DAT Release Date: 06/12/2002

Symantec:
Intelligent Updater: June 8, 2002
LiveUpdate: June 12, 2002

Trend: No information at time of alert.