Music
Aliases: I-Worm.Music, Troj_Music, W32/Music@mm, W95/Music

Type: VBScript Worm
Systems Affected: Windows 32-bit systems
Payload: Worm is self-updating, so functionality could vary
ITW: Yes
Origin:
Description: Music is a VBScript worm received as an email attachment, named MUSIC.EXE. The subject line of the message reads:

Testing to send file

and the body of the email reads:

Hi, just testing email using Merry Christmas music file, not bad music.

If executed, the worm copies itself to C:\Windows\System as SYSMCM.EXE. It also modifies the registry to run on startup. While doing so, the worm displays Christmas pictures accompanied by a musical tune. It then connects to two Inet sites, downloads and saves two additional components named SYSDRV.EXE and SYSTMP.DLL. These files are saved to the C:\Windows directory. A second downloaded component of the worm is copied to Windows\System and, in turn, it sends a copy of the original worm to all recipients in the infected user's Address Book. The worm is self-updating, that is it is able to upgrade its components via the Internet. Thus, functionality of the worm may change over time.
What to look for: Search for the filenames listed in the above description. Also search the HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run registry key for the following value: SysDrv = path\sysmcm.exe (where path is the Windows\System directory). Also in HKey_Local_Machine\Software\Microsoft look for the value MCM containing:
FirstRun
LastRun
RunMCM
Status
SMTP
Version = 001111
How to prevent it: Do not open attachments received unexpectedly, even from known sources. Keep your antivirus software up-to-date, save and scan any attachments before opening.