common.gif (3114 bytes)

JScript worm in a CHM file (HTML help). It uses MIRC, OUTLOOK and PIRCH. When run, it will ask for permission to use ActiveX, if it was not allowed, it will show a text
saying "The picture couldn't be shown. ActiveX wasn't allowed, please reload and select to use it.", if allowed it will show a picture and a text saying "If you ride a motorcycle, close your mouth.".
Then it will copy itself to Windows' directory as "THE_FLY.CHM" and to Windows' "SYSTEM" directory as "DXGFXB3D.DLL". After that, it will create "MSJSVM.JS" in Windows' directory and it will add this file in the registry to be run at startup. This file will try to modify MIRC and PIRCH, so the CHM file will be send like most IRC worms. Since this file is run at startup, it will make the worm work in new MIRC and PIRCH installations. Also, this file will check if "THE_FLY.CHM" file exists, and if it doesn't (for example because someone tried to remove the worm), it will copy "DXGFXB3D.DLL" from Windows' "SYSTEM" directory to "THE_FLY.CHM" in Windows' directory, so the worm will be working again. After adding "MSJSVM.JS" to the registry the worm will try to use OUTLOOK to send itself to all contacts in the address book, using "Funny thing" as subject, "> If you ride a motorcycle, close your mouth. :)" as body and the CHM file as attachment. If "THE_FLY.CHM" and "DXGFXB3D.DLL" not exist or minutes are 30 when "MSJSVM.JS" is run, this file will show a message. It was created for using the CHM file type in a worm for the first time.