Every Thursday the worm regenerates the new address list that stores in the ICMAIL.DLL file in the Windows System directory.
This worm sends itself with the following subject lines:
and the following bodies:
Here is what you asked, bye.
Maybe you could help me with this, bye.
Now you can try it, bye.
The following names are given to the worm's attachment:
Subject, body and attachment name are selected randomly from the above given list.
When the worm is first started it shows a fake error message:
This file does not work on this system"
And then it installs itself to system. It copies itself to Windows System Directory as 'NETAV.EXE' file. Then it adds the path of that file to the System Registry:
This way the worm starts during all Windows sessions.