Fix2001 is a virus worm that spreads via the Internet. It works similar to the Happy99 worm: it installs itself into the system, hooks the Internet access Windows functions, obtains Internet addresses to where it sends its copies. The worm has bugs and replicates under Win9x only, not under WinNT.
The worm appears as a "Fix20001.Exe" file attached to an e-mail message. The message has the subject "Internet problem year 2000." and the message text is written in two languages: English and Spanish:
Estimado Cliente: Rogamos actualizar y/o verificar su Sistema Operativo para el correcto funcionamiento de Internet a partir del Año 2000. Si Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el Software provisto por Microsoft (C) llamado -Fix2001- que se encuentra adjunto en este E-Mail o bien puede ser descargado del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM Si Ud. es usuario de otros Sistemas Operativos, por favor, no deje de consultar con sus respectivos soportes tecnicos. Muchas Gracias. Administrador. Internet Customer: We will be glad if you verify your Operative System(s) before Year 2000 to avoid problems with your Internet Connections. If you are a Windows 95 / 98 user, you can check your system using the Fix2001 application that is attached to this E-Mail or downloading it from Microsoft (C) WEB Site: HTTP://WWW.MICROSOFT.COM If you are using another Operative System, please don't wait until Year 2000, ask your OS Technical Support. Thanks. Administrator.
The worm also contains text strings that are used to generate and send attached data in an e-mail message, as well as the texts:
RCPT TO: @hotmail.com> @ciudad.com.ar> Fix2001 THE REAL KEY TO LIVE A HAPPY LIFE, IS: BE A GOOD MAN. PARA CONSEGUIR LA VERDADERA FELICIDAD, SE UN BUEN TIPO.
The attached file (the worm itself) is a Windows executable file about 12Kb in length. When executed, it installs itself into the system Windows directory with the FIX2001.EXE name and registers itself in the "Run=" system registry key to activate its copy upon each Windows restart:
HKEY_LOCAL_MASHINE\Software\Microsoft\Windows\CurrentVersion\Run Fix2001 = "FIX2001.EXE"
The worm then displays a fake message to hide its activity.
Upon being run from the installed FIX2001.EXE copy, the worm registers itself as a system-service process (to hide its window and stay active upon user logoff) with the "AMORE_TE_AMO" identification Window's headline; gains access to the WSOCK32.DLL Internet connection library; obtains addresses for "connect" and "send" functions; patches them with call instructions to the worm's hookers; and stays in the Windows memory as hidden applications.
When the Internet connection is activated, the worm scans data that is sent and received, obtains Internet addresses from there, and sends infected messages to these addresses.
The worm has a very dangerous payload that is activated when the text strings in the worm's body are patched or corrupted (this is possible, because the data are transferred via Internet channels). In this way, the worm overwrites the C:\COMMAND.COM file with a DOS Trojan that upon the next computer reboot, erases all data on the hard drive.
This payload fails on Windows NT-based systems as the COMMAND.COM file is not part of the startup.