W32/Aliz-A

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

Before removing the infected mail from your inbox download and install the patch from Microsoft Security Bulletin MS01-027:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.

Shut down all possible programs and services before running Sophos Anti-Virus. You may need to change the attributes of whatever.exe. In the relevant directory at a command prompt type
ATTRIB -R WHATEVER.EXE.

If problems persist contact support.

W32/Aliz-A is an email-aware worm. On execution the worm looks in the registry to find a suitable SMTP server address and then sends itself to entries in the Windows Address Book. The email uses a known exploit in certain versions of Outlook Express 5 so as to launch the attachment automatically. Microsoft has released a patch which addresses this vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

The attachment uses a filename called whatever.exe.

The email's subject line is randomly generated from a list of different components.

The subject line begins with either "Fw: " or "Fw: Re" and then randomly chooses a phrase. The phrase begins with either "Cool", "Nice", "Hot", "Some", "Funny", "weird", "funky", "great", "Interesting" or "many" and continues with a word randomly chosen from "website", "site", "pics", "urls", "pictures", "stuff", "mp3s", "shit", "music" or "info".

The phrase ends with one of the following: "to check", "for you", "i found", "to see", "here", "- check it".

Finally the subject line finishes with either "!!", "!", ":-)", "?!" or "hehe ;-)"

Because of this method of creating subject lines there are many possible combinations of subject line that can be used by this virus. Examples include:

"Fw: Cool site for you ?!"
"Fw: Re Hot urls i found hehe ;-)"

and

"Fw: Funny shit here !!"