Part II: The bare bone basics
==========================
This is the part of the document that will try to give a very basic understanding of the Trojan/virus. It is *suppose* to raise questions - these questions will be dealt with in the third section. It will only give the reader an idea of the dynamics of the virus. It the "press release" part of it.

The Package
----------
The package is a single executable. The executable contains two parts, a normal functional program, and the Active Ingredient (AI). The normal program can be anything, but should be of interest for the Internet community. Examples could include: screensavers. auto playing AVI,MPEGs, flash movies, anti virus software, a new hacking tool or even an anti virus solution.

The type of package could be customized to suit the way of transportation.

Initial infection
---------------
The package will be distributed on the Internet. This is done by "robots". These "robots" will upload the infected package to FTP servers, mass mail the package to users, repackage existing software to contain the AI, and DCC the package at random to users connected to IRC servers. The 'net should be flooded by infected programs, all different in size and apparent functionality.

Conventional virus spreading methods can also be used. Initial infection could last in the order of 2 months.

Upon first execution on client machine ---------------------------------
A user will obtain the package, and execute it.

- Settle in.
AI will rename itself to a non-suspect filename. The AI will take the necessary precautions to ensure that it will be executed every time the host is restarted.

- Registration on server
AI should wait until it detects the possibility to connect to a server on the Internet. When this happens, the AI should contact a predefined web server(s), uploading information to this site. It will save a file on this site containing detailed information of the host. Each AI will save the file with a unique name / serial number.

Day to day activity of AI
---------------------
The AI will monitor activity, and if it detects traffic to the WWW, it will periodically check for instructions, posted on the predefined web server. These commands will be downloaded from the WWW, and executed on the host. The commands are to be found in a file that match the serial number that the AI registered in the initial contact. The AI will execute all commands found in the command file. If the AI cannot find the command file, it will fall back to a general command file. If it cannot find this file it will proceed with preprogrammed instructions.

Spreading further
--------------
Every host that is infected "reports" to one of the predefined servers. It will update a counter file. Every host that is infected with the initial spread will increment a number stored in the "infection count" file. When this file reach a critical mass, all AIs will begin secondary infection procedure:

The AI will extract all email addresses contained within the address book of popular mailers (Outlook, Netscape, Eudora). The AI will start sending email with attachments to addresses harvested from the mailers. The attachment will be the package. The rate at which the AI will send mail can be controlled via command files.