The following has been derived from information provided by NAI, Sophos, and Symantec.

Virus Characteristics

This worm arrives as an attachment to the following e-mail:

SUBJECT:

As per your request!

BODY:

Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.

The attached file is called README.EXE and is 24576 bytes long.

Payload

When the worm is activated it creates a copy of itself in your Windows folder, as readme.exe, it then creates the following registry key and value:

KEY:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

VALUE:

macrosoft = "C:\Windows\readme.exe"

it also writes a copy itself to the root of all local drives (this includes floppy drives, zip drives and network drives)

The worm sends a copy of itself to every entry in the user's email address book and then displays a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open".

If this button is pressed then the worm sends out further copies of itself and then displays an error message box with the title "WinZip SelfExtractor: Warning" and containing the error message "CRC error: 34#".


Preventative Measures

Block messages containing the attachment readme.exe.
Block messages with the subject: As per your Request!


Fixes Available

Network Associates: DAT 4157
Sophos: apost.ide
Symantec: Not available at time of alert.
Trend: No information at time of alert.