Description:

TrendLabs HQ received several reports of this polymorphic mass-mailing worm spreading via email.

This polymorphic, memory-resident worm drops and executes a copy of itself as NLOAD.EXE in the root directory. It employs several autostart techniques so that it runs at every system startup.

This worm uses SMTP (simple Mail Transfer Protocol) to send email to found recipients in files with the following extensions:


HTM
WAB
HTM
DBX
TBB
The format of the email it sends out is as follows:

From: newvirus@kaspersky.ru
Subject: Unknown
Message body: If you cant see message text from: , read attached file.
Attachment: Document.zip

It steals critical system and user information and sends all gathered data to a remote user.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.U