Virus-like program that spreads automatically to other computers by sending itself out by email or by any other means. A program that propagates itself by attacking other machines and copying itself to the affected machine.
Worms have self-replicating code that travels from machine to machine by various means. A worms first objective is merely propagation. Worms can be destructive depending on what payload they have been given. Worms may replace files, but do not insert themselves into files.
This worm is distributed through exploit .ani files that appear as JPEG's. This exploit affects fully patched Windows XP SP2 systems through IE 6 and IE 7.
Vunerable systems include:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista
The worm is also distributed across the network via mapped networked drives and shortcuts to a network location. It will infect all executable files with the worm. It also attempts to write to the Floppy drive of the infected PC, which causes seemingly random floppy drive activity often; if no floppy disk is inserted, the user might be presented with an error regarding a floppy disk, even if no floppy disk has recently been used. If successful, it will write a copy of the worm's main executable (tool.exe) and an autorun.inf file. If the floppy is inserted into a clean PC, it will infect it.
Please refer to Microsoft Security Bulletin MS05-002 for information on the animated cursor vulnerability.
A tell-tale sign that a PC is infected with this is an error message called "Windows - No Disk" that says, "Exception processing message c0000013 75b6bf9c 4 75b6bf9c 75b6bf9c."