Aliases: I-Worm.Roach.b, Win32.Nymph.28672, Trojan.Worm.Roach.B, W32.Efortune.28672@mm

Win32/Roach.B is a worm spreading as an email file attachment.  It requires the operating system Windows 95 or newer for its operation.  Its size is 28672 bytes and its file-body is encrypted.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which the Windows operating system is installed. Naturally, this can be different with any single installation

The worm arrives as an email message with the files setup.exe and fortune.zip in the attachment.  The subject of the message is "Fw:" and its body is formed by the following text:

SMACK!!!
You have been hit
This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!

After it is executed the worm creates the files dccom32.exe and eggcase.att in the directory windir%/System.  The first file is a copy of the worm, the second is an archive file in the format zip containing two files – a executable file cookie.exe 28672 bytes in size and a text file FILE_ID.DIZ 434 bytes in size.  The first file is the copy of the worm, in the second file the following text can be found:

FortuneCookie 32 - Version 1.0
* FREEWARE *

DESCRIPTION:
============

FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
This program is freeware so feel free to send out a word of
wisdom to your friends!

The worm creates in the system registry, in key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the item "dcomdriver "and sets its value to the file %windir%\SYSTEM\dccom32.exe. In doing so, it ensures its activation after an operating system restart.  The worm contains texts in its body and occasionally displays them in a window.  Those texts are as follows:

it is predictable, but I wouldn't like to predict it myself. - C. Lawson
100,000 lemmings can't be wrong.
A friend in need is a pain in the ass.
A man is as old as he feels. But never as important.
A man is as old as the woman he feels.
Always be sincere - Even when you don't mean it.
Always tell her she's pretty, especially when she isn't.
Anyone who can see through a woman is missing a lot.
Avoid life - It'll kill you in the end.
Do to the other fellow as he would do unto you. But for God's sake do it first!
Experience, the name given by men to their mistakes.
Get stoned - Drink liquid cement.
Happiness can't buy money.
If a woman wants to learn to drive, don't stand in her way.
Join the army, travel the world, meet interesting people and shoot them.
Just because you're paranoid it doesn't mean they aren't out to get you.
Life is a sexually transmitted disease.
Love Thy Neighbour - But don't get caught.
Money can't buy friends but it can buy a better class of enemy. - Spike Milligan.
Never put off till tomorrow what you can avoid altogether.
Racial prejudice is a pigment of the imagination
Smoking - think of it as evolution in action.
Sudden prayers make God jump.
When faced with two evils I like to do the one I've never tried before. - Mae West
Live fast, Die young, Leave a good looking corpse.
A Wise Man can see more from the bottom of a well than a Fool can see from the top of a mountain.
Walk softly but carry a big stick.
TO DO IS TO BE - Socrates% TO BE IS TO DO - Sartre% DO BE DO BE DO - Sinatra
It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt. - Samual Clemmens
What you can not avoid, Welcome.
If you can't tie good knots... tie many.
Anything free is worth what you pay for it.
Two wrongs do not make a right; it usually takes three or more.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.