This virus-worm spreads via the Internet using Microsoft Outlook. The worm itself is a Windows PE EXE file, having a size of 24,576 bytes, written in VBS. The worm seems to be based on the "Melissa" macro-virus worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source.
The worm is transferred via the net in Email messages with an infected attachment. The original attachment has the BADASS.exe name, but it is possible to rename the .exe file manually, and it then will spread with a new name.
When an infected message is received and the attached EXE file is executed, the worm gains control and starts its main routine. This routine displays message boxes, then runs the infection routine that opens the Outlook database, obtains e-mail addresses from the Address Book and sends infected messages to the addresses found. The subject in the infected messages contains the subject "Moguh.." and the message body is "Dit is wel grappig! :-)" in Dutch.
The worm does not send messages twice from the same computer. To avoid duplicate spreading, the worm creates a system registry key, and checks it upon each start:
HKCU\SoftWare\VB and VBA Program Settings\Windows\CurrentVersion "CMCTL32"="00 00 00 01" [Adult only--------------------------------------------------]
The first message box displayed by the worm appears as follows:
Kernel32 An error has occured probably because your **** smells bad. Is this really so? [ Yes ] [ No ]
Upon the mouse cursor moving to the [No] button, the worm moves this button another place to the left [Yes], and return it back when the mouse cursor moves near to button, and so on until clicking [Yes].
So the worm does not allow one to click the [No] button. When the [Yes] button is pressed, the worm displays another message and runs its infection routine:
WIN32 Contact your local supermarket for toiletpaper and soap to solve this problem. [ OK ]