I-Worm.Buzill Buzill is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 30KB in length (there is also a known variant that is compressed by UPX, (the compressed size is about 16KB). The Buzill worm is written in Visual Basic. Infected messages have the following features: The Subject field is either empty or randomly selected from the following variants: Body text: Here is the file I told you about. Dont tell anybody.Shhhhhhhh The Attachment file's name is randomly selected from the following variants: gresge.exe slfklsbsklf.exe hsldnlg.exe bsdkskshf.exe qewlwlef.exe qfdsdjl.exe nlddoe.exe vdngdg.exe fsdhhgdd.exe nfkrjhgr.exe lsjsdf.exe pqweopwrore.exe wrretert.exe pjlfdg.exe nnbvcncld.exe The worm activates from infected emails only if a user clicks on the attached file. If this action is taken the worm then installs itself to the system and runs its spreading routine and payload. Installing While installing the worm copies itself to the C:\ drive's root directory using a randomly selected name (please note the list of possible names for the file attachment above), and registers this file in the system registry auto-run key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run BuzzKill = %worm file name% Spreading To send infected messages the worm uses MS Outlook and sends infeceted messages to all the addresses found in the Outlook address book. Payload On February 14th the worm displays the message: IWorm.BuzzKill Happy Birthday Joshua!! and proceeds to delete all the files in the root directory of the C: drive. For more details please visit the Kaspersky Virus Encyclopedia at: http://www.viruslist.com/eng/viruslist.html?id=58003