This worm spreads in e-mail messages and via IRC channels. It is related to the Angela multipartite virus, and IRC and e-mail compenents of the worm are detected as “Angela” components.
When run, the worm first of all copies itself to the Windows system directory with the hardcoded name:
To send its copies in an e-mail message, the worm creates a TEMP.VBS file with an additional VisualBasicSctipt program and spawns it. The program in the script accesses MS Outlook, obtains address book records, and sends a worm copy (with PNGUIN.SCR name) to first 20 addresses that are found there. The message contains:
The script then deletes its VBS file.
To infect IRC channels, the worm creates the SCRIPT.INI file in the C:MIRC directory. That script sends the PNGUIN.SCR file to all users that join the infected IRC channel.