Discovered: January 16, 2002
Updated: February 13, 2007 11:51:04 AM
Type: Worm

This is a Microsoft Outlook worm with backdoor and pasword stealing features.

When this worm is executed, it does the following:

It creates the files:

  • C:\Userdat.sys
  • C:\System.dll

These are log files that the worm uses. It uses System.dll to log your keystrokes. This key logging feature can steal your username, password and other private, typed information.

The worm next creates the file \Windows\Winstart.bat.

It then creates copies of itself as:
  • \Windows\Kernel32.ini
  • \Windows\System\UserConf.exe

The worm also adds the value:

UserData     C:\Windows\System\UserConf.exe

to the registry key:


This will run the worm every time that you start Windows.

Antivirus Protection Dates

  • Initial Rapid Release version January 17, 2002
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version January 17, 2002
  • Latest Daily Certified version August 09, 2016 revision 001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Gor Nazaryan