When executed the worm extracts the SMTP information and the user’s email address from the registry. Then it goes through the Windows address book and sends itself to the email addresses it finds.
The worm sends an email with an attachment called patch.exe, the body is empty. If the email address contains ".jp" then it selects one of 16 possible subject lines else it uses the subject "Important". The worm encodes the message in such a way that it violates RFC Base64 encoding rules. The code body includes this text:
When the sending process is over the worm terminates and won't run again unless the user executes it again. It does not change any registry settings nor adds a run line to a startup file.
