WORM_MEXER.E is a memory-resident worm that propagates via peer-to-peer (P2P) file-sharing networks, particularly Kazaa and Imesh, and by mailing copies of itself via Simple Mail Transfer Protocol (SMTP). This worm creates a folder and drops several copies of itself into this folder, using filenames that pertain to software, moviews, or games. It gathers email addresses from the infected system by scanning certain files for email addresses it can send to. WORM_MEXER.E is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this memory-resident worm displays a message box. It then adds a registry entry that allows it to automatically execute at every system startup. To propagate via peer-to-peer file-sharing networks - specifically Kazaa and Imesh - the worm creates three more registry entries. This worm then creates a folder, named sysnet, in the root folder and drops 42 files in it. It also drops another set of randomly named files in this same folder. The filenames are formed using a combination of 70 different naming strings comprised of the titles or names of popular software, movies, and games. These filenames are meant to entice P2P network users to download and execute them. Read the Technical Details of the Virus Description for the full list of naming strings. This worm also searches for the following files: C:\*.DBX, C:\*.DOC, C:\*.HTM, C:\*.RTF, C:\*.SHT, C:\*.TXT, C:\*.WAB If found, the worm scans these files for email addresses and sends email to these addresses. It skips email addresses with the following strings: admi, host, kasp, micr, newv, root, supp, viru, webm It sends email via Simple Mail Transfer Protocol (SMTP) with any of the following details: Subject: EBAY Information Message body: EBAY Installer... Attachment: <files from the sysnet folder> Subject: VISA Information Message body: Security Tool... Attachment: <files from the sysnet folder> Subject: Provider Information Message body: New account data... Attachment: <files from the sysnet folder> Subject: Your Crack1 Message body: Here is your crack! Attachment: <files from the sysnet folder> Subject: Internet Information Message body: New account data... Attachment: <files from the sysnet folder> If you would like to scan your computer for WORM_MEXER.E or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_MEXER.E is detected and cleaned by Trend Micro pattern file 2.178.00 and above.