From the doc: 'Loads a hta into start up of eng NT, apon reboot it downloads and runs a trojan (after a fifteen minute pause, in case they are dial up). This can be a bo2k trojan. It is all silent. AKA JS.Trojan.Freq.F... What this does, in a nutshell - it uploads a hex'd version of the Thing server v1.6, reconstructs it into an executable, runs it... then, on next reboot deletes all of the files in the startup folder before they are run a second time. It is exploitable by email, webpage, or newspost. There has been a patch released for the script lib... but, because Microsoft does not advertise these things and people do not update their systems ('what the hell is script lib?', 'do I have to reboot, no way!', they say)... you will find a very large number of systems 'at risk'.'