This worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected
The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in original worm version contains the following:
Depending on your system settings, a real extension of the attached file (“.vbs”) may not be shown. In this case, the filename of the attached file is displayed as “REQUESTED_INFO.DOC”.
Being activated by a user (by double clicking on the attached file), the worm checks the system for a data file of the Union Bank of Switzerland electronic payment software. If such a file is found, the worm sends it to three e-mails (to worm’s author) and then exits.
In another case, if a file is not found, the worm runs its spreading routine: opens MS Outlook, gains access to the Address Book, obtains all the addresses from there and sends messages with an attached worm copy to all of them. The message