W32.Pokey.Worm


Aliases: Pokemon, I-Worm.Pikachu, Pokey.bat and Pokey
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 28 Jun 2000
Damage: Low

Characteristics: W32.Pkey.Worm first appeared on June 28, 2000. Also known as Pokemon, I-Worm.Pikachu, Pokey.bat and Pokey, this worm spreads as an attachment on email. A display of a Pokemon character appears once the worm is executed. Its payload is to delete the contents of the Windows and System folders. The operating systems this worm mostly affects are Windows 95, 98 and Me.

More details about W32.Pokey.Worm

When W32.Pokey.Worm is executed, it emails itself to every email address listed in the Microsoft Outlook Address Book. However, only active systems running Outlook can be infected and the worm does not run on Outlook Express. The email has the following characteristics: “Pikachu Pokemon” as the subject and Pikachupokemon.exe is the file attachment. This worm runs only if the Visual Basic 6 runtime library file Msvbnm60.dll is installed in the system. Then, the worm alters the Autoexec.bat file to remove or delete the contents of the Windows and System folders. Thus, the system becomes unstable when the contents of the Windows and System folders have been deleted.

Security software companies report that most of the servers spreading the W32.Pkey.Worm program are related to pornographic websites. Most of the video files that are used to spread it are adult-oriented as well. Porn web pages that offer free videos are often flagged as spreading the software. The W32.Pkey.Worm program can connect to remote servers. It may then download files into the system. The files and servers may change periodically. These files are malicious software that are installed and run in the system.