This is a mass-mailing worm that arrives in an email message as follows:

From: (spoofed)
Subject: (Random)
Body:  (Varies, such as) 

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

The icon used by the file tries to make it appear as if the attachment is a text file

When this file is run it copies itself to the local system with the following filenames:

•  c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
•  %SysDir%\taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It also uses a DLL that it creates in the Windows System directory:

It also uses a DLL that it creates in the Windows System directory:

•  %SysDir%\shimgapi.dll (4,096 bytes)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

The worm opens a connection on TCP port 3127 suggesting remote access capabilities.

AVERT is currently analyzing this the threat.  Details will be posted, as they are available.

• Upon executing the virus, Notepad is opened, filled with nonsense characters.
• Existence of the files and registry entry listed above

This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt

Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.

The following EXTRA.DAT packages are available.

• EXTRA.DAT
• SUPER EXTRA.DAT