Eventually, the worm infects nearly every process in the computer. The worm hooks the MAPISendMail function in any process that imports the MAPI32.dll, and adds itself as Setup.exe to any RAR archives in outgoing mail. This action is not restricted to any particular mail client.
The worm gets its name from a text string in its body; however, this string is not visible until the file is decrypted and decompressed.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":