This worm functions much the same way that JS/Kak.worm does. AVERT recommends installing the security patch from Microsoft
Like JS/Kak.worm, a dangerous aspect of this Internet worm is its ability to continuously re-infect yourself if the preview pane is enabled and you browse between folders specifically the "sent" folder which happens to contain the Internet worm within a message. This is another strong reason to update to the security patch.
This worm uses VBScript and an ActiveX component, called "Scriptlet Typelib", to propagate itself through email using MS Outlook Express.
When an e-mail or newsgroup message infected by this worm is opened by a reader which supports VBScript in HTML, the writes the Update.hta file to the Startup folder of the local machine. This will launch the code embedded in the HTA file at the next Windows startup. Microsoft has published a security update which addresses this ActiveX exploit and users are encouraged to update their systems with this component. With this update installed, users are questioned if they wish to run the ActiveX control which "might be unsafe".
For more details on this vulnerability and to obtain a patch from Microsoft, see this link:
Microsoft Security Bulletin
For current security bulletins from Microsoft, see this link:
Email messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the worm code and it is allowed to run, these two files are written to the local machine:
The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\SIGN.HTML" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included.
Finally this worm also has a payload which is date activated. On October 10, a message is displayed:
"Have you danced with the devil in the moonlight ?"