The following has been derived from information provided by NAI, Symantec, and Trend.

Virus Characteristics

This is a pure mass-mailing worm. It does not carry any other damaging payload. The virus sends itself to all users found in the Windows Address Book using SMTP. It arrives in an e-mail message that has the following characteristics:

Subject: "Important" or a subject using Japanese characters
Body: [empty]
Attachment: patch.exe


Payload

Running the EXE manually will cause it to run the mass-mailing routine. The worm queries the registry to locate the Windows Address Book file, and gathers target e-mail addresses from this WAB file. The registry key queried by the worm is:

HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

The virus then uses the default Internet Account Manager settings to send itself out using the default SMTP server. These settings are specified in the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Server

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Email Address


Preventative Measures

Block all incoming messages with attachments named PATCH.EXE at the SMTP gateway where possible.


Fixes Available

Network Associates:
Currently detected with Extra.dat or Daily DAT. Also detected heuristically with 4140 DATs or newer.
Detection will be included in 4191 DATs.

Symantec:
Detected as W32.Dotjaypee@mm using definitions dated 0313.
Will be detected as W32.Impo@mm with definitions dated 0314 or later.

Trend:
Detected with Pattern #241