Written in Delphi, compressed with UPX

Released in January 2002

This mass-mailing worm drops a remote access trojan and attempts to send itself to
email addresses found within files on the local system. Currently this worm is incapable
of emailing itself to others due to the fact that the hard coded mail server 
used (smtp.wanadoo.fr) has turned relaying off. The worm is designed to send itself
using the following information: 

From: [email protected] 
Subject: WARNING : Black_Piranha 

Si vous pouvez lire cet e-mail, c'est que les services Microsoft on dTtecter la prTsence 
du virus Black_Piranha dans votre systFme Windows. pour dTsinfecter votre systFme 
vous n'avez qu'a exTcuter le programme en piece jointe. 
Pour plus d'informations : http://www.microsoft.com 

Attachment: MSsecu.exe 

Executing the attachment infects the local machine. The MSsecu.exe file is copied to the WINDOWS directory. It's a dropper program, which displays pornographic images in a Windows. 

WinSystem gathers email addresses from the following files: 
.ASP 
.HTM 
.HTML 
.PHP 
README.TXT 
These addresses are saved to the file BDN.COM in the WINDOWS directory.
The worm also acts as a backdoor trojan, listening on port 314 and emails your 
IP address to the author: [email protected] 

(McAfee)


size: 633.344 bytes

Dropped Server:
c:\WINDOWS\WinSystem.exe 

size: 190.976 bytes 

port: 314 TCP

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "WinSystem" 

added:
c:\WINDOWS\bdn.com 
c:\WINDOWS\MSsecu.exe