This threat is detected with the 4127 DATs, or higher, with various names. The 4215 DATs, and higher, detect it as Bat/a.
This is an IRC spreading worm and intended mass mailer. It is intended to arrive in an email message containing the following information, but due to bugs the mailing routine fails:
Subject: Upgrade to Windows XP
Body: Good news from Microsoft. Click the attachment for your FREE Windows XP. Upgrade to Windows XP now.
When run, the batch file creates several other files.
|C:\MIRC\SCRIPT.INI||The dropped script.ini contains instructions to send the worm to all users upon joining the channel of the infected user.||MIRC/Generic|
|A copy of the worm; fails to copy due to bug.||Bat/a|
|c:\XP\xp.bat||A copy of the worm; fails to copy due to bug.||Bat/a|
|c:\XPUpdate.reg||Contains instructions to create a registry run key to load the worm at startup: *HKLM\SOFTWARE\Microsoft\Windows\|
|c:\X.vbs||A VBScript file that contains instructions to email the worm to all users in the Outlook Address book (fails due to bug), go to the web address "http://www.yahooka.com" and use PING to DoS attack "www.hotmail.com".||VBS/Generic@MM|
Additionally, the batch file attempts to overwrite McAfee DAT files with itself. This action will fail if the DAT files are in use.