CoolNotepad is an email worm that propagates through both Microsoft Outlook and mIRC, similar to the LoveLetter worm. The infection will start with the user receiving an infected email that may look like this:
- Cool Notepad Demo
- Hey check out this text file I sent it will do something neat in notepad. Enjoy :)
As common file extensions are hidden by default, the user will simply see "COOL_NOTEPAD_DEMO.TXT", and thus believe it to be simply a text document, and thus may open it without suspecting it to be malicious.
The worm, like many others, will search for contacts in Outlook's address book, sending copies of the email above with the worm attached. It can also spread through IRC, infecting channels which will attempt to send the file to users who attempt to join it.
The worm will add itself to the system registry such that it executes on startup:
COOL_NOTEPAD_DEMO = <FileName>
It will also edit the registry such that all shortcuts on the desktop are hidden:
- NoDesktop = 1
- Kaspersky Threats, Email-Worm.VBS.CoolNotepad