WORM_GIFT.C is a non-destructive worm that propagates via email. It sends copies of itself as attachments to email messages it sends. It uses Microsoft Word to compose email messages. WORM_GIFT.C is currently spreading in-the-wild, and infecting systems running Windows 98, ME, NT, 2000, and XP. Upon execution, this worm drops a copy of itself as RUNDLLW32.EXE in the Windows system folder. It creates a registry entry to ensure that it automatically executes at every Windows startup. Upon first execution, this worm displays a message box containing the following strings, and then becomes memory-resident at the next Windowsstartup: * Install error * File data corrupt: * probably due to bad data transmission or bad disk access This worm uses Microsoft Word to compose the email messages it sends, and uses MAPI to send them out. To search for addresses to use as email recipients and sender, this worm searches for files with the following extensions: * .HT<any character> * .ASP It then sends email messages with any of the following Subject lines: * benchmark * cool mail * Cracks * Damn crack... * Disk tool * freeIRC beta mail list * Honey * IE Plug-in * IE5 security patch * Improve your site * JsvaScript 4 Docs * My Rom list * NS Plug-in * Secure Communications Inc. * Sex Farm - Adult contents * Sexy game * Shield PAK Installation * VB examples * y2k fix * your dlls Please view the Technical Details section of this virus description, for complete information on the subject, message body, and attachment details of the emails sent by this worm. If you would like to scan your computer for WORM_GIFT.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_GIFT.C is detected and cleaned by Trend Micro pattern file #2.327.00 and above.