Removal:

Step 1) Cleaning up your registry keys, since it reg-hacks to hide itself, make sure you do this one FIRST.
	The worm adjusts the properties of Windows Explorer, it accesses the following keys	and adjusts them to affect system  ability to show hidden files (mostly Win2K &ME), infected files will not be seen by the Explorer.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

	Registry key values are created/changed to hide files:
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden 

	The worm tries to create this key:
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]

	The worm also deletes all subkeys from this key to disable sharing security:
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\lanmanserver\Share\Security]
	 
Step 2) Remove "loader" settings to disable autorun on boot.
   It modifies the SYSTEM.INI file in order to activate itself on every startup,
   remove this line from SYSTEM.INI file and reboot the computer: 
        [boot] 
        shell=explorer.exe load.exe -dontrunold

Step 3) Remove the payload files.  When executed, virus copies itself into several the Windows system directories.  These files have system and hidden attributes set.  It will overwrite any original files if they already exist.
	Delete all the "worm dropping" files (original files which have been overwritten should be restored from backup)
		MMC.EXE (in Windows directory, MS Mgmt Console - looks like worm can overwrite this file)
		LOAD.EXE (in Windows' system directory)
		RICHED20.DLL (in Windows' system directory)
		ADMIN.DLL (in root folder of all local hard drives C:\, D:\, and E:\ etc...)
   	      WININIT.INI (in Windows directory)
	Also scan all local hard drives for any hidden RICHED20.DLL files and delete them. 
	Replace a clean RICHED20.DLL to system32 folder.

	The worm also copies itself to the Temporary directory with random MEP*.TMP and MA*.TMP.EXE names, for example: 
		mep01A2.TMP
		p1A0.TMP.exe
		pE002.TMP.exe
		pE003.TMP.exe
		pE004.TMP
		README.EXE
		root.exe

	To be safe, delete all files with .TMP extension from your local temporary directories:
		\Temp\
		\Windows\Temp\
		\documents and settings\username\local settings\temp

(from f-secure)
The worm enumerates shared network resources and recursively scan files on remote systems. If the worm finds an .EXE file on a remote system, it reads the file, deletes it and then writes a new file where the worm body is placed first and the original EXE file is present as a resource. Later when this affected file will be run, the worm will extract the EXE file resource and run it. The worm checks the file name for 'WinZip32.exe' and doesn't affect this file if it is found. 

The worm accesses [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads subkeys from there and affects all files listed in the subkeys the same way it does affect remote EXE files (see above). The worm doesn't only infect WinZip32.exe file. Also the worm reads user's personal folders from [Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] key and infects files in these folders as well. 

Step 4) REBOOT

Step 5) Removing infected message files.
       Delete all .EML files generated by the virus.
       It creates .EML (mostly) or .NWS (occasionally) files with randomly selected names.

Step 6) Fixing Winzip
	 Completely REMOVE WINZIP from the system and Re-install after reboot.

Step 6) Cleaning the HTML Files.
	Check all *.HTML, *.ASP, and *.HTM as well as files that have 'DEFAULT',
	'INDEX', 'MAIN' and 'README' words in their filenames for the small JavaScript
	code referring to README.EML file and remove it or restore the affected files
	from a backup. This JavaScript code is located in the very end of affected files.

	Search for file types above containing readme.eml, but pay close attention to the following default file names:
		index.html
		index.htm 
		index.asp 
		readme.html 
		readme.htm 
		readme.asp 
		main.html 
		main.htm 
		main.asp 
		default.html 
		default.htm 
		default.asp

Step 7) Removing Admin rights from GUEST.
	Check if the GUEST account is in the ADMINITRATORS group; if yes, remove it from the group

Step 8) Fixing Shares.
	check the sharing of the local disks & remove unnecessary shares, the virus enables
	admin shares on infected systems.  To be safe, remove all shares from all local hard
	drives and renew these shares with correct access rights if needed. This needs to be
	done because the worm affects share security. Check especially the \\localhost\c$ share rights.

Step 9) FIX THAT HOLE.
	Apply the MS patches.
		Internet Explorer 5.01: http://www.microsoft.com/windows/ie/download/critical/q295106/default.asp 
		Internet Explorer 5.5: http://www.microsoft.com/windows/ie/download/critical/q299618/default.asp 

		Microsoft IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp 
		Microsoft IIS 5.0: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp