-- Update September 4, 2003 --
This threat was updated to a Low-Profiled risk due to media attention with ComputerWorld's article:
First of perhaps many 9/11 viruses ermerges
This Visual Basic worm propagates via mailing itself to recipients in the Outlook Address book (using Outlook to construct and send messages).
Products running the 4.2.40 engine with the 4253 DATs or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).
This will be detected exactly as W32/Generic.a@MM with the 4292 DATs and higher.
The virus is likely to be received in an email bearing the following characteristics:
It's Near 911!
Nerosys.exe ("911.jpg" label is used)
Nice butt baby!
When executed, the worm installs itself as:
System startup is hooked via the following Registry key (NT/2k):
CurrentVersion\Winlogon = Explorer.exe nerosys.exe
Or via the SYSTEM.INI system file (9x):
"shell" = Explorer.exe nerosys.exe