WORM_BLUEWORM.F is a memory-resident worm that propagates via email. It deletes registry entries and files associated with antivirus programs, and also terminates certain processes associated with various antivirus applications. This worm is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000 and XP. Upon execution, it drops a copy of itself in the Windows system folder using 10 different file names. It then creates the folder, %Windows%\VOLUME, where it drops a copy of itself using the same file name as any file found in the Windows folder. This worm also drops another copy of itself as %Program Files%\Internet Explorer\Media Player.exe. Some of the dropped files are compressed using the WinZip application. In order to send email messages, this worm drops and registers the file OSSMTP.DLL in the Windows system folder. In the same folder, it also drops the following non-malicious files: about.txt, About_BlackWorm.C.txt, Music09.rm, Special.rm, Vide01.jpg This worm creates registry entries that allow it to execute at every Windows startup. In addition, it searches the local area network for shared network drives that are write-enabled and drops copies of itself in accessed shares using the file name GOOD MUSIC.SCR. This worm propagates by sending a copy of itself via email to all addresses listed in the MSN and Yahoo messenger applications. It also obtains target email addresses from files containing the following extension names: HTM, DBX The email message that it sends out has the following details: From: • firstname.lastname@example.org • email@example.com • firstname.lastname@example.org • email@example.com • King_sexy@hotmal.com • firstname.lastname@example.org • email@example.com • firstname.lastname@example.org • email@example.com • firstname.lastname@example.org • Bad Love • Binnn MT • Genius • Lola Ashton • Ralph • Sara GL • spoofed_names • Sweet Women • The Moon • Thomas Subject/Message body: (any of the following) • For all Members repit the reactive one time. • Hello • Important • Please reactive now • Please reactive now. • Please Read • reactive now • Thank you • Thanks Attachment: (Refer to the Technical Details section of this virus description, posted on the Trend Micro Web site.) It then deletes registry entries and files associated with security and antivirus products from Hyper Technologies, Symantec, McAfee, and Trend Micro. If you would like to scan your computer for WORM_BLUEWORM.F or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_BLUEWORM.F is detected and cleaned by Trend Micro pattern file 2.171.05 and above.