VBS/Irok.Trojan.Worm Irok is a Microsoft Outlook e-mail spreading worm that also exhibits destructive viral behavior. The worm arrives in an e-mail with the subject line: "I thought you might like to see this." The body of the e-mail reads: "I thought you might like this. I got it from paramount pictures website. It's a startrek screen saver." The e-mail has an executable file called Irok.exe attached to it, but with no icon displayed. When the attached file is run, it displays a flying star field simulation. In the background, it copies itself to C:\Windows\System directory. The worm also creates a 862 byte long file called Irokrun.vbs in C:\Windows\Start Menu\Startup and another file called WinRDE.DLL in C:\Windows\System. The worm tries to delete signature or checksum files of various anti-virus products in an effort to stop detection and removal and infects other executable files. The viral component of the worm is a 16bit DOS virus, but it will infect all executable files regardless of their platform corrupting them in many cases and making a cure impossible. In order to execute, the worm requires Windows Scripting Host (WSH) be installed. This means a Windows 98 machine is susceptible to the virus, but Windows 95 users would have to install the WSH. The worm relies on that fact that the operating system has been installed to C:\Windows and therefore will not work under a default Windows 2000 or Windows NT installation. If WSH is installed, the Irokrun.vbs script will be executed on the next system start. The script will try to send the previously described mail to the first 60 entries of each Outlook address book and delete itself after execution. The worm also tries to send itself through Internet Relay Chat (IRC). CA anti-virus researchers are still looking at the viral characteristics of Irok.exe that can strike independent of the presence of Windows Scripting Host. According to user reports, the worm will display an Armageddon message and corrupt the entire hard drive rendering it unusable.