If the attachment is opened, the user will be presented with a picture of a seal. Behind the scenes, the Scold worm gathers email addresses from the user's address book and any .HTM or .HTML files found in certain locations on the drive. Having collected the addresses, Scold then mass-mails itself to others.
The subject may be any of the following:
- When It's Cold Outside She Gives Me Warm Inside
Fw:When It's Cold Outside She Gives Me Warm Inside
Re:When It's Cold Outside She Gives Me Warm Inside
The email body contains one of the following:
- You will love this cute picture.
Enjoy this great picture.
Don't miss this cool picture.
and will also include an erroneous virus scan message as follows:
============== Free Online Virus Scan ==============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file.
Method of infection:
The Scold worm drops the file 'warm.scr' to the Windows folder.
Scold then adds itself to the sytem registry to ensure it will be activated when the system is rebooted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ExeName32"=C:\Windows\warm.scr
Removal instructions:
Antivirus software updated on or after December 10, 2003 should be able to detect and remove this worm. To manually remove the Scold worm, locate and delete the dropped warm.scr file and remove the registry edit noted above.
