W32/Music

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysDrv

and delete any reference to the worm file.

Close the registry editor.

W32/Music is an email-aware Win32 worm.

When an infected file is executed the worm waits a few minutes before attempting to connect to several internet websites. It attempts to download an updated version of itself from these websites.

The worm then tries to send itself to email addresses found on the infected PC.

The email message it sends varies depending on the version of itself it has downloaded from the web, but the message text will probably be similar to:

"Hi, just testing email using Merry Christmas music file, you'll like it."

The worm itself is attached as a file called music.com, music.exe or music.zip.

When this file is run the worm attempts to play the first few bars of the song "We wish you a Merry Christmas" and displays a cartoon of Santa Claus with the caption "Music is playing, turn on your speaker if you have one" or "There is error in your sound system, music can't be heard."

When it has finished playing the music it will then display "Merry Christmas" and start playing the music again.

It adds the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysDrv

containing the name of the worm file.