The worm’s malicious code is spread via the Internet as an infected file attached to e-mail. The worm is a Windows attachment about 4K in length. An infected message contains:

Subject: varying
Body: empty HTML message
Attach: whatever.exe

The worm launches itself by taking advantage of a security flaw in the IFRAME e-mail client in the same way as the “Nimda” Internet worm. At the same time, the infected enclosure is automatically activated upon reading or viewing a message.

When an infected file is run, the unpacking routine takes control, unpacks the main worm code into the memory and jumps to it. The main code then sends infected messages to e-mail addresses found in WAB (Windows Address Book). To send e-mails, the worm connects by default to the SMTP server. The worm does not install itself to the system, and is not activated anymore, except in cases when a user clicks on an attached e-mail again. Namely, the worm is “one-time-only,” and does not reveal its presence in the system. The worm’s e-mail-spreading routine has several mistakes and flaws; therefore, it is incapable of spreading on the majority of e-mail client-server configurations.

PC DoorGuard detects and cures "Aliz worm" and its clones. The usage is pretty strait- run it and delete any found infected files.

PC DoorGuard 3.0 (3.3Mb)
Download locations		EXE file
	USA (astonsoft.com)	Download
	USA 2	Download