is a mass mailing and P2P worm. It also installs a backdoor trojan horse on an infected computer.
The worm spreads by creating copies in the Kazaa-shared folders and by sending infected e-mails. It forges sender field in an email. It uses one of these items in the Subject field: "Error", "Hello", "Hi", "Mail Delivery System", "Mail Transaction Failed", "Server Report", "Status" or "Test". The attachment is 22528 bytes long and has one of extensions "bat", "cmd", "exe", "pif", "scr". The attachment might be compressed to zip file 22788 bytes long. The worm searches for mail addresses in the files with extensions "adb", "asp", "dbx", "htm", "php", "pl", "sht", "tbb", "txt" and "wab". The worm omits posting to some domains, mainly antiviral and software companies, universities and internet authorities.
When executed, the worm opens up a Notepad program with garbage data in it. The worm instals the library shimgapi.dll to the %system% folder. The library is a trojan horse, making remote control of the computer possible, including installation of any program. It opens TCP ports between 3127 - 3198 for communication. The worm copies itself to the taskmon.exe file in the %system% folder.
The worm adds its own keys to the following registry items:
The worm will perform the DDoS (distributed denial of service) attack on 1st February 2004 to the site www.sco.com. It will stop all of its activity on 12th February 2004. The trojan horse remains active after this date however.
avast! with VPS file dated on or after 26th January 2004 (minor version 05) is able to detect this worm.Refer: Avast