IM Doom!  This virus struck a number of my computer network under our care a few days after the lunar new year (CNY 2004).

Worm emails itself to datamined email addresses. The recipient will receive an email with various headings, including:
Hi
Hello
Error
MAIL DELIVERY SYSTEM
Mail Transaction Failed
Returned Mail: Response Error
Server Report
Test
An attachment (the worm) is included using the file extension .exe, .pif, .zip, and .scr. Filenames include body, document, file, message, test, and text.

As these inocent looking mail, prompt my user to double click them.  I display a message and the user quickly forgot all about it. But what had happend upon execution, it will drop taskmon.exe and shimgapi.dll in the %system% folder, and set taskmon.exe to autostart in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey.

This worm also performs denial of service attacks on several websites, which are dependent on the system time of the infected computer.  The dial-up connection starts prompting user to dial for internet access.

Remedial action:

• Remove any internet and network connection to the affected machine.
• Upload the latest Stinger Software to the affect computer.
• Run the scanning and cleaing process.
• Restart the machine.
• Reconnect internet connection.  Download latest anti virus data file.
• Run the full system scan again.
• Spend 15 minutes to educate user.