I got an email with the subject line "Mailer Daemon" and since I had received 4 legitimate messages with that subject line I didn't think much of it. I was sure the attachment was .eml but it must have been .hta

Anyway, it made it through the scanner and when I clicked on the attachment my AV program identified it as the Randon Worm and told me three files were infected.

I checked my desktop and there was an output file and then a mIRC.exe came to life on my toolbar.

Distribution
Upon detection of an open port (445) the worm runs the batch files sencs.bat and incs.bat which try to locate open resources on the remote computer and connect to them using one of the following passwords:

"admin", "administrator", "root", "admin", "test", "test123", "temp", "temp123", "pass", "password", "changeme"
If a connection is successful the worm opens a socket on port 445, transfers the trojan horse TrojanDownloader.WIn32.APher.gen and runs it. This trojan downloads a self-extracting archive of the worm's 'full' version from "www.q8kiss.net" and installs it in the system.

Getting rid of the worm was easy, but the mIRC.exe took some doing. My firewall wouldn't let the mIRC.exe connect, so it kept trying, running system resources up to max then the PC locked up. Fun stuff.

A clean boot disk solved that problem, but the worm wrote to an NT folder and kept denying access to the file. Another clean boot and I was able to delete it.

While I'm not too happy about getting infected the worm itself is pretty slick. If I hadn't caught if before it managed to download all of its parts it would have been quite messy.

Just a heads up, look out for this one. I saw two more in my email this morning.