From Symantec: "BAT.Snoital@mm is a batch file worm that will try to delete antivirus software from your computer. It spreads through MAPI-enabled email clients, such as Microsoft Outlook and IRC. The email will have the following characteristics: Subject: Free antivirus program Attachment: Nod32.bat Type: Worm Infection Length: 13,425 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux BAT.Snoital@mm arrives in an email with the following characteristics: Subject: Free antivirus program Message Body: Best free antivirus around Attachment: Nod32.bat When BAT.Snoital@mm is run, it does the following: Deletes the following files: %Program Files%avpersonalantivir.vdf %Program Files%f-prot95fpwm32.dll %Program Files%kasper~1avp32.exe %Program Files%mcafeescan.dat %Program Files%norton~1*.exe %Program Files%norton~1s32integ.dll %Program Files%tbavtbav.dat %Program Files%trojan~1tc.exe %Program Files%tbscan.sig Copies itself to various locations on the system. The filenames vary and may consist of what appears to be random characters. For example: C:Nod32.bat %Windir%fgun.bat %Windir%uatvs.bat Creates several script files. Some typical filenames are: C:kazzad.vbs C:qhmhs.vbs %windir%snphh.js When the scripts are run, they do the following: Sends a copy of the worm to all the contacts in the Windows Address Book. These files will be detected as Bloodhound.VBS.Worm. Creates various registry values, including: "kfienq"="%windir%fgune.bat" in the key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and: "Event17" = "dcc send $nick C:VircSuck-Me.BAT" in the key: HKEY_CURRENT_USERSoftwareMegalith SoftwareVisual IRC 96Events The last registry value will cause a particular IRC client to send the worm to IRC users when they enter the same channel as the current victim. Overwrite all the .VBS and .JS scripts with malicious scripts, which execute and send the worm by email. NOTE: Due to bugs in the worm, it may not be able to correctly attach itself to email messages." For more information: http://www.symantec.com/avcenter/ Regards, Jade .