This virus was written in Visual Basic and packed with UPX; many of the strings in its body are encrypted.
It arrives attached to an email; the format of the email may vary; here are some possibilities:
Hihi, ich war auf deinem Computer
Du bist Ge-Hackt worden
Ich habe Sie Ge-hackt
Der Kannibale von Rotenburg
George W. Bush plans new wars
George W. Bush wants a new war
You Got Hacked
Have you been hacked?
When run, it will sometimes display the following message:
It will create one or more copies of itself in the Windows System folder (using one of multiple possible names) and a registry entry (as described in Symptoms) that will run the virus at start-up.
The virus may run multiple copies of itself that monitor each other and respawn an instance of the virus that is terminated by the user; the virus also monitors if the registry entry is deleted, and re-creates it if so.
Sometimes, if the user tries to terminate one of the instances of the virus, it will create many copies of itself with random 8-digit names and .exe extensions in the Windows System folder, and run them (each one for just a short time before running the next one).
The virus looks for email addresses in files with one of the following extensions: htt, rtf, doc, xls, ini, mdb, txt, htm, html, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp, vap, php, nsf, asp, shtml, shtm, dbx, hlp, mht, nfo.
It sends messages in the format described above, using its own SMTP client functions. Email addresses are put down in mscolmon.ocx in the Windows System folder.
It overwrites the start of files shared with Kazaa (and maybe other file-sharing applications too) with its body, and it may propagate using these networks.