This worm spreads via the Internet as an attachment to infected messages.
The worm copies itself to the Windows directory under the name fvprotect.exe and registers this file in the system registry autorun key:
"Norton Antivirus AV" = %windir\fvprotect.exe
The worm also creates a file named userconfig9x.dll in the Windows directory, and files with the following names:
zipped.tmp, base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp
These files are copies of the worm in UEE format and ZIP archives containing copies of the worm.
Files within the archive will have names chosen from the following list:
document.txt.exe, data.rtf.scr, details.txt.pif
The worm searches for files with some extensions and sends copies of itself to email addresses harvested from these files.
The worm also attempts to establish a direct connection to the message recipient's server.
Infected messages contain random combinations of the sender's address, message header and body.
There is a wide range of potential attachment names.
The attached file often has a dual extension, with the first extension being .doc or .txt, and the second being one from the following list:
exe, pif, scr, zip. The worm is also able to send itself as a ZIP archive.
The worm may send messages which contain the IFRAME Exploit, in the same way that Klez.h and Swen did.
When this happens, if the message is viewed using a vulnerable mail client, the archive file containing the worm will be launched automatically.
If the worm finds some keys in the system registry key
it will delete them.
It will also delete the keys 'system', 'Video'
and the key values, created by I-Worm.Bagle.
Use antivirus (also check How To Remove section)Startup Optimizer to remove it from startup.