This worm spreads via email and mIRC. It sends a copy of itself to all lists in the infected user's address book. The worm also sends a copy of itself to the users in mIRC disguised as "A List Of Hacked Porno site passwords". If the current system date is April 20 or December 25, the worm deletes all files and subdirectories in the current directory.
Left-Click the START button and select RUN
Type REGEDIT and click the OK button
Find the following registry entries by clicking the box with a ‘+’ in it beside that entry:
HKEY_CURRENT_USERS\Software\Micorsoft\WindowsCurrentVersion\Run\ScanRegistry. Click the value "C:\Windows\calc.vbs" and press "Delete"
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run\. Click the value "C:\Windows\sys.vbs" and press "Delete"
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\RunServices\. Click the value "C:\Windows\temp.vbs" and press "Delete".
HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\. Click the value "Sent?" and press "Delete"
Right-Click the START button and select FIND. Find each of these files in Drive c:\. When found, click it and press "Delete" to delete them:
Left-Click the START button and select RUN Type SYSEDIT and click the OK button.
Click the window “c:\Windows\win.ini” and highlight and delete the following lines: run=C:\Windows\win.vbs
Click the window “c:\Windows\system.ini” and highlight and delete the text “C:\Windows\fax.vbs” which is found after “shell=Explorer.exe”.
Scan your system with Trend antivirus and delete all files detected as VBS_TUNE.E. To do this Trend customers must download the latest pattern file and scan their system. Other email users may use Trend HouseCall, a free online virus scanner.