This Internet worm was written in Borland/Delphi. Upon execution, it copies itself to a KERNEL.32.EXE file in the /%Windows%/ folder and then modifies the registry as follows so that its copy executes upon Windows startup:
It modifies the load= line under the [windows] section of the WIN.INI file:
It modifies the shell= line under the [boot] section of the SYSTEM.INI file:
The worm uses Microsoft Outlook to send emails with a copy of itself as an attachment, CUTE.EXE, to all email addresses listed in the infected user's address book.
It propagates via AOL Instant Messenger and MSN Messenger by sending a copy of itself to all recipients listed in the infected user's contact list.
The following text strings are found in the worm code:
Thoughts� I just found this program, and, I don�t know why� but it reminded me of you. Check it out.