Upon execution, this memory-resident worm drops a copy of itself as the following file:
(Notes: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT. There is another normal file with the same name, MPREXE.EXE, located in the Windows system folder.)
This malware then creates the following registry entry so that it is able to run at every system startup:
Explorer = "%Windows%\mprexe.exe"
It also creates/modifies the following registry entries:
MainServer = "http://www.kamerali.com/ip.txt"
NoDispCPL = dword:00000001
DisableRegistryTools = dword:00000001
The last registry entry supposedly disables REGEDIT.EXE but this routine fails to manifest.
Analyzing the malware code, it is found that this worm attempts to propagate via email using MAPI (Messaging Application Programming Interface).
The email message has an attached copy of this malware, and includes the following text strings:
I Hope you reply me. Thank you very much for reading my msg Bye.
This worm terminates the following processes:
This worm displays a hoax message box containing the text, "WARNING" in the status bar. The image is as follows:
This worm disables the Windows button. Consequently, all hotkeys that use the Windows button are also disabled. It also disables the ALT-TAB hotkey.
Analysis by: Joey N. Costoya