Thanks Billybob,
Found this @ NAI.com
http://vil.nai.com/vil/content/v_100295.htm
The minimum engine for detection of this threat is the 4.1.60 engine, however to remove it the 4.2.40 engine is required. AVERT recommend ALL users (Enterprise and Consumer) update to the 4.2.40 engine immediately to stay protected from this threat.
This mass-mailing worm has many components and an internal timer to trigger different processes at different times. These include:
Mass-mailing itself to addresses gathered from different places:
Outlook Contacts list
Windows Address Book (WA
Addresses found on the local system
Randomly manufactured addresses
IRC bot (Internet Relay Chat)
AIM bot (AOL Instant Messenger)
Keylogger
KaZaa worm
HTTP server
Remote access server
Self-updating mechanism
Anti-virus software termination
The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.
The worm arrives as an email attachment in various messages. The from address can be forged such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr). Such as:
Subject: why?
Body: The peace
Attachment: desktop.scr
Subject: Re: You might not appreciate this...
Body: lautlach
Attachment: service.scr
Subject: Re: how are you?
Body: I sent this program (Sparky) from anonymous places on the net
Attachment: Jesse20.exe
Subject: Fwd: Mariss995
Body: There is only one good, knowledge, and one evil, ignorance.
Attachment: Mariss995.exe
Subject: Re: The way I feel - Remy Shand
Body: Nein
Attachment: Jordan6.pif
Hybrid Mode
