Effects
When CoolNotepad carries out its infection, it has the following effects:
Infection strategy
CoolNotepad creates the following files:
- COOL_NOTEPAD_DEMO.TXT.VBS, in the Windows system directory. This file is a copy of the worm.
- SCRIPT.INI. CoolNotepad uses this file to spread to other computers. This file is only created providing mIRC (MIRC.INI) is installed on the affected computer.
CoolNotepad creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
COOL_NOTEPAD_DEMO = %sysdir% \COOL_NOTEPAD_DEMO.TXT.vbs
where %sysdir% is the Windows system directory.
By creating this entry, CoolNotepad ensures that it is run whenever Windows is started.
CoolNotepad modifies the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ NoDesktop
CoolNotepad adds the value 0x00000001 to this entry. By doing this, CoolNotepad hides the Windows Desktop.
Means of transmission
CoolNotepad spreads rapidly via e-mail message and IRC chat channels.
1.- Transmission via e-mail.
CoolNotepad follows the routine below:
- It reaches computers in an e-mail message with the following characteristics:
Subject:
Cool Notepad Demo
Message:
Hey check out this text file I sent it will do something neat in notepad.
Enjoy :-)
Attachments:
COOL_NOTEPAD_DEMO.TXT.VBS - When the user runs the attached file, the computer is affected.
- It sends itself out to all the contacts in the Address Book.
2.- Transmission via IRC.
When the infected user connects to an IRC chat channel, CoolNotepad sends itself out to all the users connected to the channel at the time.
Further Details
The worm code contains the following text:
COOL_NOTEPAD_DEMO VBS virus - by VxF
This will scan as a LoveLetter Variant which it kinda is but this is
my first VBS virus I ever made which I used to study and learn some of
the common functions used to create viruses using VBS.
Beginning of code