FYI>>F-Secure Virus Descriptions

carl william spitzer iv cwsiv_2nd at JUNO.COM
Thu Feb 14 17:45:18 MST 2002

     NAME: Welyah
     ALIAS: I-Worm.Welyah

     Welyah  is a mass-mailer worm that is 110 kilobytes in  size
     and was written in Visual Basic.

     The worm utilises it's own SMTP engine so it does not depend
     on  Outlook for e-mail sending. The recipient addresses  are
     collected  from  different files in the system,  e.g:  *.wab
     files (Windows Address Book), *.mbx (Mailbox).

     Messages sent by Welyah look like this:

     The  attachment  name  is disguised as a text  file  but  it
     has  .pif extension that is not visible because of the  many
     space characters before it.

     The  worm also uses the IFRAME vulnerabilty that makes  Out-
     look to execute the attachment automatically. More  informa-
     tion  on the vulnerabilty can be found at  http://www.micro-

     When  the  attachment in executed it copies  itself  to  the
     Windows  directory  as  'Winl0g0n.exe' and adds  it  to  the
     runkeys in the registry as


     so the worm will be started when Windows starts up.

     [Analysis:  Gergely Erdelyi; F-Secure Corp.; 20th of  Decem-
     ber, 2001]

     >Friends shouldn't let other friends use Windows.
     >: damocles at :  Bruce Morrow, a man before and

Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:

More information about the Rushtalk mailing list