W32/Pepex-A is a worm which can spread via email, IRC and the KaZaA file sharing network.
W32/Pepex-A copies itself to the Windows system folder as winsysX.exe, where X is a random number with 2 or 3 digits. Then the worm creates the registry entry
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows task32 sys
to point to this copy.
The worm uses an infection marker, creating the registry entry
HKLM\Software\RedCell\infected = yes
To propagate over IRC the worm creates the file script.ini so that the worm is sent to all users who join a channel occupied by the infected user. Additionally the script joins the user to the channel #piecebypiece.
Emails are sent by W32/Pepex-A to addresses harvested from HTM files in the Tempory Internet Files folder. The emails have the following characteristics:
From: Microsoft <information@microsoft.com>
Reply-To: Microsoft <microsoft@microsoft.com>
Subject: Internet Explorer vulnerability patch
or simply:
Subject: Hello
In both cases the message text is "You will find all you need in the attachment" and the attached file is called setup.exe.
To spread via the KaZaA file sharing network, the worm looks for the KaZaA shared folder and copies itself as either icq2002.exe, wincrack.exe, winamp3.exe or mirc6.exe.