This variant bears close similarities to
Products running the 4.2.40 engine with the 4253 DATs or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).
This will be detected exactly as W32/Generic.a@MM with the 4292 DATs and higher.
The virus is likely to be received in an email bearing the following characteristics:
Time to 911!
original filename - likely NRS.EXE ("119.gif" label is used)
Hi, Nice butt!
When executed, the worm installs itself as:
System startup is hooked via the following Registry key (NT/2k):
CurrentVersion\Winlogon = Explorer.exe nrs.exe
Or via the SYSTEM.INI system file (9x):
"shell" = Explorer.exe nrs.exe