from symantec.com security alert
When the worm is executed by running the file Psecure20x-cgi-install.version.6.01.bin.hx.com, it does the following:
1. It copies itself as:
NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
2. It adds the value
to the registry key
so that it runs when you start Windows.
3. Next, it drops the file \%System%\Email.vbs. It then uses Microsoft Outlook to spread itself. The email has the following characteristics:
NOTE: The subject and message each consist of only a period.
4. It drops the file \%System%\Index.html. It then attempts to run Psecure20x-cgi- install.version.6.01.bin.hx.com from the System folder by using a refresh tag in the dropped .html file. The following .html message appears:
Browser Plugin Required:
You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
Click HERE and choose "Run" to install.
5. It drops the file \Windows\Aphex.jpg.
6. Finally, it attempts to spread itself using IRC or AOL Instant Messenger ()AIM.