AVERT is currently analyzing this threat. Details will be published as they become available. This threat is proactively detected as New MSVB P2P worm when using the 4266 DAT files with the 4.2.40 scan engine and scanning compressed executables (a default scan option).
This variant of the worm is very similar to previous variants. It is intended to propagate via email and sharing itself over P2P networks.
The worm consists of a 3-file sandwich:
DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY
The dropper component is intended to drop and run the other components:
Propagation component: 56,614 bytes
SMTP library: 25,737 bytes
Strings within the dropper and propagation components suggest the worm is intended to arrive in a message with the following characteristics:
Various subject lines and message bodies are carried within the worm...
...Attachment: Various filenames chosen from the following list (tailored to subject/message body):