WORM_CULT.C is a memory-resident variant of WORM_CULT.A. It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email and uses Internet Relay Chat for its backdoor capabilities. Upon execution, it creates an IEXPLORER.EXE file in the Windows system directory, which is typically any of the following depending on the operating system: C:WindowsSystem - on Windows 95, 98, and ME C:WinNTSystem32 - on Windows NT and 2000 C:WindowsSystem32 - on Windows XP It spoofs the email address in the "from:" field of the email it sends, using a list of 148 possible choices. The details of the email are as follows: From: <randomly generated using any of the following domains> Earthlink.net email.com hotmail.com msn.com Roadrunner.com yahoo.com Subject: Hi , I sent you an eCard from Blue-Mountain.com Message Body: To view your eCard, open the attachment If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd Thanks for using BlueMountain.com. Attachment: BlueMountaineCard.pif The attachment is a copy of the worm. This malware also acts as a server program performing backdoor capabilities. Once resident, it attempts to connect to an Internet Relay Chat (IRC) server. Upon connection, it joins a particular chat room using a random nickname. Then it notifies a remote user that an infected system is ready to receive and process commands. An infected system sends the following information to a remote user: CPU speed, RAM size (total and free) Windows platform used and its build and version Internet connection type and IP address User name and domain As a server backdoor component, this malware also opens random ports where it listens at one-second intervals for commands from the remote user. It enables the malicious user to issue the following commands, which adversely compromise system security: Download updated copies of itself Download files and run them on the infected system Propagate via IRC and email Launch a DoS attack against a certain IP address If you would like to scan your computer for WORM_CULT.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_CULT.C is detected and cleaned by Trend Micro pattern file #510 and above.