Slashdot Mirror

Actually I'm pretty sure this worm only affects un-patched versions of Outlook Express. Here is a bit of proof.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bullet in / S01-020.asp.
W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.


This is an excerpt from http://securityresponse.symantec.com/avcenter/venc / ata/w32.klez.gen@mm.html#technicaldetails. Now honestly I don't love MS either but XP has one feature which saved my parents and a few un-knowing friends. Within a day of the patch coming out their PCs had updated themselves and fixed the whole. Although I do agree that deleting pound upon pound of that damned virus for a week straight was very annoying.

If this is the 'Klez/W32' virus, it is unlikely that is from Hemos since it spoofs the sender.

Also see: href="http://securityresponse.symantec.com/avcente r/venc/data/w32.elkern.3326.html

NOTE: This virus is associated with and can be dropped by either W32.Klez.A or W32.Klez.D. Please read those write-ups for additional information.

Interesting -- I wonder if they wrote their own policy server, or are OEM'ing someone else's stuff? There are several vendors who have products in this space: Zone Labs Integrity, Sygate Secure Enterprise, Symantec Enterprise Security Manager, F-Secure Policy Manager, and probably some others I've forgotten.

The tricky thing is writing a server that integrates well with existing back-end security and authentication infrastructure: having a bunch of standalone systems really sucks from a management point of view. Depending on how the client/agent/firewall (in software or firmware, as on a NIC) is structured, it may be possible to mix and match vendors in the future. (For example, another vendor's server monitoring these 3com NICs.)

The protocols themselves don't really need to be proprietary to the point of precluding interoperability: most are based on good solid Internet/IETF standards like IPSec, SSL, TCP, XML, etc. (Full disclosure: I was the system architect for Zone Labs Integrity.) If the protocols could be standardized, I could easily see ZLI serving policy to the various firewall-enabled gadgets out there, as the server is easily extensible.

I guess I just want to see things interoperate, but that's probably just because I'm an old Unix hacker....

From the Norton Site:
Because adware programs are not malicious, and are not viruses, worms, or Trojans, Norton AntiVirus does not detect them as such. Detecting nonmalicious programs such as jokes or adware could cause you to believe you have run or received a dangerous program when in fact you have not.

Hopefully they'll fix this in their next version. Ad-aware has been great for removing spyware after it's weaseled it's way onto my system but I need a program that will stop it from getting on my system in the first place.

Really though, I serve as a virus debunker for many of my less than computer literate friends, but it would be nice if there was a public site for this sort of thing, that picked up e-mail hoaxes and displayed them for what they are, meanwhile addressing real problems and how to fix them.

watch out, NASA.

Hackers looooooooooooooooove noodles.

Yup, loads of problems with OLE. Don't use Word documents with Norton installed.

I wonder if Carnivore is an x86 only program? Somehow I doubt there would be a Mac version since it uses PPC, or at least, not a Mac os X version yet. Perhaps a Carbon version of Carnivore is coming down the pike though... :)

Reasons to Think Private:
- Virus/Worms are primarily written for Windows
- Server Attacks are primarily on Windows
- Carnivore is X86 Wintel Exclusive?

Perhaps not the best new apple campaign...hrrmmm.

I always look for new viruses here.

Now, a month ago, a friend of a friend (who runs a small non-profit which helps the Third World) got a run-in with the same web-design firm. Basically, they tried to cram hosting down their throat when all they asked for was design. The scuffle got slightly interesting after we snarfed the site using wget, fixed a couple of syntax errors in their code, and put it on our own server. They responded with a couple of hissy e-mails, and then put back a mirror of our site on their server, in its original state (i.e. with syntax errors). Well, to make a long story short, while cleaning up in my old files, I happened upon this old SIRCAM mail, and now I am wondering how to place it for the most effect ;-) Interestingly enough, they seem to be reselling the services of another "non-profit", which is appopriately named after the mail program thanks to whose lack of security I got that mail in the first place...

• webproxy.teaorcoffee.com.tw
• supab.stn.sh.cn
• sitic.com.cn
• server.benmoss.com
• pokkant1.pokka.com.sg
• pdc.hrserve.com.tw
• outmail.dongfang-china.com
• ns.sillim.hs.kr
• ns.binter.cl
• microimportservice.com
• mailsvr.hanace.co.kr
• mailserver.kaimi.com.cn
• mail.yinda.com.cn
• mail.win-tex.com
• mail.pusanpaik.or.kr
• mail.cmr.com.cn
• mail.clinicasanborja.com.pe
• luckybusan.com
• linux2.ele-china.com
• crato.urca.br
• ahbb.net
• ntserver1.pascon.com
• toad.com
• mailinx.nettlinx.com
• www.sztge.com.cn

One of 25. Which are
210.242.232.25
61.129.53.82
205.200.155.2
203.92.100.186
211.21.47.218
211.97.214.53
200. 72.36.42
210.101.186.3
210.12.164.230
202.108.1 09.222
195.22.21.14
61.78.199.6
211.99.206.199
216.244.152.250
211.219.246.25
211.154.129.31
200.253.229.66
202.102.200.103
210.176.173.60
1 40.174.2.1
202.53.64.195
202.104.108.226
and a few non-resolveable ones.

See http://securityresponse.symantec.com/avcenter/venc /data/w32.yaha@mm.html

Already submitted them to ordb.

Try reading the article. A Windows trojan has this particular relay hard coded into it and uses it to send.

This *additonal* behavior that affects .NET enabled computers is the part that could possibly be written in C#, and it looks like it's not responsible for any of the bulk emailing...

You are correct, this is the only part that is written in .NET compiled down to MSIL. Here's a cut from the Symantec writeup: The replication code of the virus is written in C# and compiled to MSIL...

The emailing routine is done by dropping a VBS file that enumerates the outlook addressbook sending an email to everyone in there.

This is said to be the second virus that infects .NET files. The first one was W32.Donut (even though W32.Donut doesn't actually infect the MSIL part of the executable, but the one containing the normal X86 code).

In my opinion, we still haven't seen the first *true* .NET virus. When there is a virus that infects the MSIL (Microsoft Intermediate Language) code, then I think it qualifies as a .NET virus. All the .NET virus we have seen so far appear to be attempts by viruswriters to get media attention, and as we can see, it worked :-/

I just looked at the Symantec write up for W32.HLLP.Sharpei@mm and from what I read its primarily just another social engineering email-with-executable-attachment worm ("Please run this MSFT update") which happens to use C# in some of the code it runs after it has 0wn3d your machine.

The fact that the worm tries to run a C# executable after it has already compromised the machine is not much of a technical feat since it could run anything including a Perl script, Java program, Lisp code, etc as long as the runtimes were available on the target machine.

Disclaimer: The opinions expressed in this post are mine and mine alone and do not reflect the opinions, wishes, strategies or intentions of my employer.

I work with a virus removal group on the undernet that works from the channel #dmsetup. We often locate new stuff all the time. Below Im pasting all my links I usually give out to users. Included are keepers of the gates of hell (stuff you use before you get infected.) and some stuff that gets out out of hell (what you use after your girlfriend opened that attachment)

Cleaners and virus scanner suites

Housecall online antivirus scanner
PC-Cillin virus scanner suite
Central command Virus Scanner Suite
Puppet's Cleaner
Puppet's Cleaner Alternate Site
Mcafee virus removal suite
Norton Antivirus, virus removal suite
Frisk software's f-prot antivirus suite for windows dos and linux

Firewall software

Zone Alarm Firewall
Conseal Firewall

Various tools used to get out of hell or figure out what hell you are in.

Boot disk images
Dmsetup.org
Common port usage/abuses

Definately, I use this both at work and at home, very good product.

The firewall allows you to configure rules based on applications, ports, local address, remote address, or any combination of the above. When you use a new product that tries to access the 'net you get a popup warning box which allows you to one-off block/allow or to configure a rule. Nortons "Live Update" allows you to stay easily up to date, and the firewall software automatically contains blocks for the most common trojan ports.

The firewall also allows you to have "privacy" controls to prevent your browser accepting / returning cookies and off-site information, along with add blocking, very nice.

The Anti-Virus seems pretty effective as well with the usualy quaranteen, dis-infect, delete options, and a nice auto-update facility.

You can find nortons page here

The US could, by legislation, prohibit U.S. companies from assisting with censorship in selected countries. There's an analogy to the Arab boycott of Israel [us-israel.org], which led to lobbying by Israel for U.S. laws prohibiting American companies from cooperating with the Arab boycott.

You are absolutely right. Legislation should quickly pass the law to cease the operation of immoral companies whom allow keylogging software from spying citizens' activities. Also, American companies should also join the boycott of the oppressive Government who creates a big database monitoring citizens' emails.

Oh wait.

Good Times is a hoax.

Symantec has a write-up on it, and has had for a long time now.

Some people have had problems like this while using Norton Firewall. If you have that installed, you may want to check about how to pass referrer info to the website.

People think of the VM as an interpreter that executes the bytecodes. That's a particular implementation of a VM. And not a very good one -- which is why no production VM works that way.

The simplest optimization is to use a JIT. This gives you native execution speed once the class files are loaded -- but loading is slower, because it includes compiling the byte codes. You can end up wasting a lot of time compiling code you'll only execute once -- most programs spend 90% of their time in 10% of their code. Depending on the application, you can end up wasting more time on unnecessary compilation than you save by running native code.

Intuition suggests that the most efficient thing to do is to "get rid" of the VM by compiling everything to native code before you distribute your app. But that doesn't get rid of the VM -- it just converts it to a different form. There are some VM features you can't compile away, such as garbage collection. Some experts claim (not me, I get dizzy when I even read benchmarks) that "pure" nativeness is illusory and not that efficient. Plus you lose a lot of the features of the Java platform when you run the program that way. Might as well stick with C++.

Some VM implementations use a sophisticated comprimize between interpreters and JIT compilers. If you can identify the small part of the program that does most of the actual work, you know what parts of the program really need to be compiled. How do you do this? You wait until the program actually starts running!

Advocates of this approach claim that it has the potential to be faster than C++ and other native-code languages. A traditional optimizing compiler can only make decisions based on general predictions as to how the program will behave at run time. But if you watch the program's behavior, you have specific knowledge of what needs to be optimized.

Computer science breakthrough, or illogical fantasy? Don't ask me, I'm just a spectator.

The engineers I picked this stuff up were very contemptuous of "microbenchmarks" like those described in the developerWorks article. Nothing to do with the real world.

Has anyone actually confirmed that this is true?

I've been unable to access the site http://disvr.cjb.net/freedv referenced in the article. If this is an offical Symantec decision, why aren't the binaries available from http://www.symantec.com? I just searched their site for the word "DesqView" and found no mention of this supposed release.

The alternative http://www.chsoft.com/dv.html posted here contains binaries but I can't see any mention of any official announcement by Symantec about the binaries now being in Public Domain.

The site http://www.freemm.org/DesqView%20X/, also mentioned in postings here on Slashdot, (and last updated Wed Apr 11 2001) says the following:

I built this page as soon as I heard that DesqView/X is available. As soon as I confirm the legality of the download, I will load the binaries up on this site. For right now, you can download DesqView/X from Amos Vryhof's page at: http://disvr.cjb.net/freedv/. There are also many useful links there

It seems to me that this rumour has been around for a few months now.

Finally, if this is true, why isn't there any announcements about it on comp.os.msdos.desqview?. And why did Amos Vryhof, presumably the owner of http://disvr.cjb.net/freedv recently start his own OpenDVX project on Sourceforge?

I'd love for it to be true, but until I see some official announcement from Symantec, I can't say that I believe it.

2002-01-18 21:50:48 Xbox emulator trojan confirmed (articles,security) (rejected)

Well...I tried to submit this as a story but it was rejected within 10 minutes. It seems that the Xbox "emulator" featured on Slashdot a few days back contains a trojan (though it must be said that it is relatively harmless).

The trojan in question is called Badcon and causes unpatched Win9x boxes to crash to the point of requiring a restart. Info and removal instructions can be found here

Well...so much for my karma.

-1 Offtopic

Many modifications are possible, of course. (P.S. The indentation is nicer in my file, but the lameness filter won't allow it. Sorry.)

# Autoreply to anything that has an MS-Word attachment
:0
* ^Content-Type:
{

:0 c
* ? $FORMAIL -x From | fgrep -i -f $MAILDIR/wordok
{
}

:0 E
{
:0 c
* HB ?? ^Content-Type: application/msword
| ($FORMAIL -rt -A"X-Loop: ${NOLOOP}" -A"Precedence: junk" ; \
cat $MAILDIR/wordattach; \
echo --; cat $HOME/.signature \
) | $SENDMAIL -oi -t

# Mark that the message has gotten an auto-response
:0 f
| ${FORMAIL} -A"X-Autoresponse: MS-Word attachment"
}

}

Now, my message:

This message was automatically generated by my mail filter.

You have sent a message containing an MS-Word attachment. You may be unaware that Word attachments are not readable by all of your recipients. In addition, Word-formatted mail attachments are often vehicles for viruses, worms, and other malicious software (see http://www.symantec.com/avcenter/venc/data/acro.ht ml. Word attachments may also contain information that you may not have intended to send (see http://www.microsystems.com/Shares_Well.htm).

I have found that most documents sent in Word format could have been sent as plain text without losing any of their contents or meaning. If that is the case, please re-send your document in plain text.

One way to send a Word document in plain text is to select all of the text in the document (Edit->Select All), copy it to the clipboard (Edit->Copy) and then paste it into your e-mail message (Edit->Paste).

An alternative is to save the file as text: open the document, choose File->Save as, and in the "Save As Type" strip box at the bottom of the dialog, choose "Plain text" or "Plain text with line breaks." Then click "Save". You can then attach the new text document in a safe format that is readable by everyone.

If your formatting is important, you can chose "HTML Document or Web Page" instead of "Plain text" (but again, you will find that some of your recipients have difficulty reading your message).

So I guess deleting or hiding all your vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2-files doesn't count as a pretty hefty payload?

It appears that the articles have not been read carefully. After comparing the the three, there are two Flash virii being spread around.

Virus 1 (Conrad's submission) - SWF/LFM.926
The virus, dubbed SWF/LFM.926...must be downloaded manually and cannot spread...over e-mail. (Yahoo)
...and after being run, infects other Flash movies while displaying the message "Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a file V.COM, which gets executed afterwards without confirmation. (German trans. - thanks entrox!!)

Virus 2 (bdavenport's infoworld submission) - Creative.exe
The virus...arrives in an e-mail bearing the subject line, "A great shockwave flash movie."
The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Microsoft Outlook e-mail program, potentially clogging e-mail networks.
One reason the Creative.exe virus may be spreading so quickly is that it uses the Shockwave Flash movie icon. (Infoworld)
...but if you check the date of the Infoworld article, it's December 1, 2000.

From Symantec:
Discovered on: November 30, 2000
Due to a recent decrease in world-wide infections of this worm, SARC has decreased the threat level of this worm to 3 and removed it from the Top Threats list.

W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address book. The worm moves all .mp3, .jpg, and .zip files to the root folder. It renames each of these files and appends the following text to the extension of each file:

change atleast now to LINUX

Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A

So...Creative.exe is NOT a flash virus, and is old news, unrelated to SWF/LFM-926.

One important thig to note on this webpage...we should add .swf to the extensions that we scan. Hopefully that will help protect us in the future of more dangerous flash viruses that are sure to come.

http://securityresponse.symantec.com/avcenter/venc /data/w32.dlder.html

For a desribement of the trojan in grammatical correct english :)

It was in the register (my other regular read who scoops slashdot at least 1/2 the time BTW) - and people above seem to have been missing the point, yes, this is not gator or some other silly thing, it's spyware classified as a trojan by antivirus vendors because, it appears, no-one knows what exactly it does.
LINKS: - the register article
zdnet on the trojan
symantec listing the file as a trojan

It has been done. I can't remember off the top of my head which one, but I cleaned up a virus infection about a year ago that installed the distributed.net client.

Its gotten bad enough that Symantec has posted a KB article on it, here.

Distributed.net also has a trojans page here.

---
www.symetrix.net

I havn't seen it yet... and accourding to Symantec as of this post they don't have the write up yet.

Difinitly keep my eye out though... made tons of money cleaning up after Nimda and Sircam ;-)

The big one will run straight from the preview pane...

KaK Worm was pretty close. It's been around for a while, but i'm still cleaning it out of some customer's machines. It used a script in the signature to infect a user, so really all you'd hafta do is view the email and it'd run the attatched file for you. Pretty slick virus, but had some downfalls. Easy to clean out, no interesting payload, and extremely easy to detect(a .hta file in your Start Up folder)

There are already worms that do that sort of stuff, one example being W32.Magistr. Apart from the proper english, it sounded like it does what you want it to. e.g. it overwrites the boot sector of the first IDE hard drive, erases the CMOS, flashes the BIOS, corrupts/deletes text files, and much more. Plus it can send itself to people in the victim's Outlook, Netscape and (in the newer version, which is linked) Eudora address books. Too bad it is old and the virus scanners can detect it.

This one is --deadly-- on the mail services. Unfortunately, only the virus defs. from TODAY (12/4, at least for Norton) can detect the bastard. On W2k you can kill the process, but on 9x you're screwed because it, of course, edits the registry and starts on bootup. It will actually keep the outlook.exe process running as well, pumping out the email, even if you exit the Outlook program.

Also deletes personal firewall software and anti-virus software. Full list here.

"If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks."

Correctamundo. I think the article needs an update. This payload is not non-destructive:

from symantec

Once the registry key has been added, the worm will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts.

From http://securityresponse.symantec.com/avcenter/venc /data/w32.goner.a@mm.html...


...the worm will try to delete files of common anti-virus and firewall products. If the files are in use and cannot be deleted, the worm will create the file %SYSTEM%\Wininit.ini, which causes the files to be deleted when the computer restarts.

As evidenced by this thread, the kiddies at Symantec Customer Service don't know when to punt!

- Begin Email -

As the "alpha geek" in my peer/family groups, my friends and relatives always check with me before purchasing software. Given the statements made by your company in regards to allowing federal torjans to live undetected on your paying customers machines, I will now refer the inquisitors to an alternative brand of AV software. I am also asking all of my other "geek" friends to take similar action in thier peer groups.

I sincerly hope that this will negatively impact your company enough that you will consider changing this reactionary policy.

Thank You.

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- End of Email -

If we all did this in a non obtrusive way, (friend asks what AV should i buy, you say ,"Sophos") this could have a huge impact on the offending software companies.

The brave new list of Do's and Don'ts regarding writing your congressperson:

1. Don't write. They don't open their mail for fear of Anthrax.

2. Don't call. LSD/A>, lightning, viruses, and many other things make congress fearful of phones, and not likely to answer them.

3. Don't fax. After all, a fax is really just a glorified phone call. (see #2)

4. Don't email. They all heard about that Good Times virus, and are really afraid of getting it.

5. Don't drive there in person. Especially if you drive a white van, and try to park in front of the building.

In conclusion, the best way to contact your congressperson now seems to be standing on the tallest building near them and yelling. Just don't get too close to them.

This makes perfect sense! I mean, there's no way to catch a virus through email. Right?

With a little bit of luck Bin Laden, or one of his cronies, might have caught the Sircam virus, and unwittingly mailed out his secret plans. Now is the moment to (safely) open these old mails, and check out whether maybe you have something among them which might interest the FBI... It would astonish me if among all those zillions of Sircam mails that were sent around the world back in spring, there wasn't one containing juicy details...

In order to "safely" open Sircam mails, detach the attachment (in Unix), then strip of the 134 first kilobytes:

dd if=attachment.doc.exe of=attachment.doc bs=1024 skip=134

Then transfer the stripped attachment to your Winders box, and open it in Word/Excel or wherever. Enjoy!

N.B. Many word files can be viewed using strings -a. They seem to contain the Ascii text in integro near the end, buried among the binary rubble. And if you've got a Sircam'ed zip file, just unzip it just like you would unzip any other file (i.e. unzip attach.zip.vbs): indeed Zip files are "anchored" at the end, and any trailing garbage is silently ignored.

With XP's new registration process - how is that going to work? Will you still be ABLE to ghost XP machines? WIll users have to handle the registration process on their own after the machine is delivered? God forbid they lose that license certifcate in the process. With previous versions of Windows you simply used Ghostwalker to update the settings and such. But this adds yet another step to an already tedious process.

So does anyone who uses ghost to roll out systems have a plan or idea how they'll handle the onslaught of XP? Symantec has an article that basically says XP is Beta (not anymore!) and they'll have more info after release (none I cqan find) They say they were able to use ghost and ghost walker to clone an XP machine - but again, cloning (ie backing up) a system is one thing, making corporate images you can toss onto new systems is something else entirely... It'll be too bad if Microsofts zeal for $$$ trashes a program that saved countless IT depts thousands of hours in deployment time.

It infects through the Shared drives..Copies itself to any available open shares on the Network.. 3 infection paths 1) Unpatched webservers 2) Emails 3)Shared drives.. Checkout Symantec's pagefor more details.

Heres what I was just about to submit:

LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)

Heres what I was just about to submit:

LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)

Heres what I was just about to submit:

LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)

I guess my question is how many people will try to download it as soon as someone rips it, or will we all be law-abiding and get it from a store? Also, do you think this will slow down internet access allover the world and cause routers to spontaneously combust? Oh wait, I forgot that no one here would ever illegally download copyrighted material. ;)

*Off topic, but when you herd of the Nimda, did anyone else immediately remember The Secret of Nimh? I love that movie!

Actually, the new nimda virus has been released exactly one week after the first plane hit , precise to the minute.

This is the preliminary information known at this time.

There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email.

In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.