Once the worm is activated, it carries out certain actions with the files that meet the following conditions:
Those files with VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA extensions are overwritten (thereby deleting the original file data). In addition, their size is truncated and their extension changed to VBS.
Files with INI or BAT extensions are also overwritten and truncated. The VBS extension is added to the original file name, thereby giving .JPG.VBS or .JPEG.VBS extensions).
If the worm finds files with MP3 or MP2 extensions, it creates a copy of itself. This copy has the same name as the original file (including the extension), to which the VBS extension is added. The worm then hides the original file.
The worm creates the file SCRIPT.INI in all the directories where the following files are found: MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI, or MIRC.HLP. This file is in charged of sending the file MOTHERSDAY.HTM via IRC to all users connected to same IRC channel as the infected user.
The Trojan downloads the WIN-BUGSFIX.EXE from a web site selected at random from among four possible www addresses. It then runs this file and renames it as WINFAT32.EXE. This file performs the following operations:
Every 150 milliseconds it looks for a window entitled "Connect to." This only occurs in computers running under English-language operating systems.
If this window is found (corresponding to a network connection), it manages to convert the password used originally for the connection into the default password. It does this by checking the option every 150 milliseconds that allows you to save the password used to connect.
The day after infection takes place, the trojan gathers confidential system data every 48 seconds. Subsequently it sends all data obtained to the e-mail address firstname.lastname@example.org (in the Philippines). The message body of the e-mail sent to this address is:
Subject: Barok... email.passwords.sender.trojan
Date: Fri, 5 May 2000 05:17:28 +0200
Host: "name of the infected computer"
Username: "name of the infected user"
IP Address: "IP address in format xxx.xxx.xxx.xxx"
description of the connection
N#: "telephone number of the RAS connection in format (cc)ac-nnnnnnn"
Cache Passwords: "List of passwords in cache"