Virus Information
Discovery Date: 03/05/2004
Origin: Unknown
Length: 22,528 bytes (PE-Pack)
Type: Virus
SubType: E-mail

This variant is very similar to W32/Netsky.g@MM .

This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the various other viruses (variants of W32/Mydoom and W32/Bagle).

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)


Subject:

Re: Hi
Re: Part 3
Re: Part 2
Re: Index
Re: Hello
Re: Yours
Re: Samples
Re: Your TAN
Re: Your PIN
Re: Your bill
Re: My details
Re: Your data
Re: Appending etc.etc.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename MAJA.EXE.

C:\WINNT\maja.exe (22,528 bytes)
Note: A valid file exists in the %Sysdir% directory.

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"Antivirus" = %WinDir%\maja.exe -antivirus service

Read more: http://vil.nai.com/vil/content/v_101077.htm