VBS.Krim.G@mm arrives as an attachment to an email with the following characteristics: Subject: SYMANTEC NORTON ANTIVIRUS Body: REMOVE VIRUS SASSER Attachment: mirko.bat When the attachment is executed, it performs the following actions: 1. Copies itself as the following files: * C:\mirko.bat * %Windir%\mirko.bat * C:\mirko.reg * C:\mirko.vbs * C:\mirk.vbs Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. 2. Adds the value: "mirko"="c:\mirko.bat" to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that the worm is executed every time Windows starts. 3. Searches for an mIRC installation in any of the following folders: * C:\Mirc * C:\Mirc32 * C:\Program Files\Mirc * C:\Program Files\Mirc32 4. If the worm locates an mIRC installation, it creates a script.ini file to send itself to other IRC users. 5. If the C:\autoexec.bat file exists, but C:\mirko.bat does not exist, the worm attempts to add a format command to C:\autoexec.bat. 6. Displays the following message: Hello %username% 7. Launches C:\mirko.vbs and sends itself to all email addresses in the Outlook address book. To delete the value from the registry WARNING: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit Then click OK. (The Registry Editor opens.) 3. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the value: "mirko"="c:\mirko.bat" 5. Exit the Registry Editor.