** Creative.EXE - Trojan Horse **

Do not open a message with the subject line stating "A great Shockwave flash movie" or "Check out this new flash movie that I downloaded just now ... It's Great. Bye"  

It is a trojan horse virus. When a user launches creative.exe, the Trojan changes the filenames of all JPG and ZIP files and then moves those files to the C:\ root directory. The Trojan also sends itself out to all users in address books that are compatible with messaging application programming interface (MAPI). Microsoft Outlook and Outlook Express both use MAPI. The Trojan earns its "polite" designation because it provides repair instructions. None of the files are destroyed and the Trojan creates a text document c:\messageforu.txt that records each file it moves and its name change. The words "change at least now to LINUX" are appended on every JPG and ZIP file moved by the Trojan. So a file named picture.jpg becomes
picture.jpgchange at least now to LINUX.

The messageforu.txt also includes this warning, supposedly from the author: "Hi, guess you have got the message.  I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin".

The penguin is the mascot for the Linux operating system. If launched, the Trojan drops a copy of itself as C:\creative.exe and also puts a reference to the executable in the Windows Startup folder so the Trojan will be launched every time the operating system starts. After the Trojan finishes its payload, it sends an email, supposedly to the author, at z14xym432@yahoo.com. The subject is "Job complete". The body of the message says, "Got yet another idiot".