If it is executed, VBS.Annod.B does the following:

It searches for .exe files that are in the current folder (the same folder as the virus). It does not search subfolders of the current folder. If it finds any .exe files, they are overwritten by a copy of the script. Such files cannot be repaired and must be deleted.

It copies itself as the following files on drive C:

• %Windows\Temp%\XXX_Porn_MADONNA.Jpeg
• %Windows%\Sex_Madonna.JPG
• %Windows%\Emm386.exe
• %Windows%\Sol.exe
• %Windows%\caca.txt
• %Windows%\Cdplayer.exe
• %Windows%\CHILE.Pais
• %Windows%\Sex_Madonna2.txt
• %Windows%\Madonna_sucking_my_d**k.AVI
• %Windows%\Crazy_for_you.MP3
• %Windows%\Bill_Gates_GAY.bmp
• %Windows%\Santiago,Chile
• %Windows%\avpcc.exe
• %Windows%\msconfig.exe
• %Windows%\pbrush.exe
• %Windows%\Mshearts.exe
• %Windows%\Soy_el_mejor.AGM
• %Windows%\hh.exe
• %Windows%\Notepad.exe
• %Windows%\Scandiskw.exe
• %Windows%\Defrag.exe
• %Windows%\avp32.ini
• %Windows%\Explorer.exe
• %Windows%\Regedit.exe
• %Windows%\Win.ini
• %Windows%\Win.com
• %Windows%\Command.com
• %Windows%\Asd.exe
• %Windows%\Wscript.exe
• %Windows\System%\AVP_Monitor.EXE
• %Windows\System%\Like_A_Virgin.MP3
• %Windows\System%\Erotica.MP3
• %Windows\System%\Don't_Cry_for_me_Argentina.mp3
• %Windows\System%\Secret.MP3
• %Windows\System%\Holiday.MP3
• %Windows\System%\Borbeline.MP3
• %Windows\System%\Don't_tell_me.MP3
• %Windows\System%\avpcc.exe
• %Windows\System%\AVP_The_moore_goog.exe
• %Windows\System%\NAV_The_more_poor.exe
• %Windows\ System%\VShield.exe
• %Windows\ System%\AVP_EL_MEJOR.EXE
• %Windows\ System%\Norton_AV_EL_PEOR!!!!!!!.EXE
• %Windows\ System%\avprescue.exe
• %Windows\ System%\Panda_AntiVirus.exe
• %Windows\ System%\NOD32.EXE
• %Windows\ System%\Jadraquer_Killer.txt

• %Windows% is a variable. The worm locates the \Windows folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
• %Windows\System% is a variable. The worm locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
• %Windows\Temp% is a variable. The worm locates the \Windows\Temp folder (by default, this is C:\Windows\Temp or C:\Winnt\Temp) and copies itself to that location.

The virus also creates the text file C:%Windows%\Madonna.txt.

NOTE: Because this file is not in itself viral, it is not detected by Norton AntiVirus.

The virus then displays the following messages:

1. Obtain the most recent virus definitions. There are two ways to do this:
• Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
• Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
  
  Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
  
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as VBS.Annod.B. Replace deleted files from a clean backup or reinstall them.