WORM_JEANS.A is a memory-resident worm that attempts to propagate via email with itself as an attachment, using its own Simple Mail Transfer Protocol (SMTP) engine. It may use a polymorphic engine to drop a file containing the source code of the worm, and then recompile it to produce a different appearance. While the inclusion of source code in the worm is not new behavior (BAGLE variants included this), the recompilation of the dropped source code is. This "courier virus" behavior is described as the worm being able to carry within itself, its whole source code and eventually dropping and recompiling it in the infected computer to create new variants of itself. It infects computers running Windows 98, ME, NT, 2000, and XP. Upon execution, the worm drops a copy of itself as INCUBATOR.SCR in the Windows folder or BIGFISH.SCR in the Windows system folder. It creates registry entries that allow it to automatically execute at every system startup. It also adds registry entries such that when certain applications are executed, this worm runs instead of the programs selected. This worm attempts to propagate via email. It searches for target email addresses in files with the following file name extensions: * .asp * .htm * .xml It retrieves SMTP servers in the system registry, and then attempts to send a copy of itself as an attachment using its own SMTP engine. The email message that it attempts to send, contains the following details (however, due to bugs in its code, this worm is not able to execute this propagation routine): From: Don Quijote y Sancho Panza Subject: juas juas cuidadin con el attachhhhrrrr!!!!! Message body: juas juas juas peaso de bicho que lleva el attach!!! juas juas!!! Vallez\29a Attachment: soyunpeasodebichooooooo.scr This worm may also display a message box with the following: Win32.Genome coded by ValleZ/29a If you would like to scan your computer for WORM_JEANS.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_JEANS.A is detected and cleaned by Trend Micro pattern file #2.460.00 and above.