is a mass mailing and P2P worm. It also installs a backdoor trojan horse on an infected computer.

The worm spreads by creating copies in the Kazaa-shared folders and by sending infected e-mails. It forges sender field in an email. It uses one of these items in the Subject field: "Error", "Hello", "Hi", "Mail Delivery System", "Mail Transaction Failed", "Server Report", "Status" or "Test". The attachment is 22528 bytes long and has one of extensions "bat", "cmd", "exe", "pif", "scr". The attachment might be compressed to zip file 22788 bytes long. The worm searches for mail addresses in the files with extensions "adb", "asp", "dbx", "htm", "php", "pl", "sht", "tbb", "txt" and "wab". The worm omits posting to some domains, mainly antiviral and software companies, universities and internet authorities.

When executed, the worm opens up a Notepad program with garbage data in it. The worm instals the library shimgapi.dll to the %system% folder. The library is a trojan horse, making remote control of the computer possible, including installation of any program. It opens TCP ports between 3127 - 3198 for communication. The worm copies itself to the taskmon.exe file in the %system% folder.

The worm adds its own keys to the following registry items:
It adds the keys TaskMon with the value %System%\taskmon.exe - this item launches the worm when the Windows starts.
It puts the value %SysDir%\shimgapi.dll to the Default item - this item launches the trojan horse in the Explorer.exe's memory space.
It also creates a subkey in

The worm will perform the DDoS (distributed denial of service) attack on 1st February 2004 to the site It will stop all of its activity on 12th February 2004. The trojan horse remains active after this date however.

To remove this virus please use free avast! Virus Cleaner.

avast! with VPS file dated on or after 26th January 2004 (minor version 05) is able to detect this worm.

Refer: Avast

Copyright © 2004-2004 All rights reserved.
Valid HTML 4.01! Click here to validate current page. Best viewed with ANY browser! Valid CSS! Click here to validate current CSS.