When executed, the worm copies itself into the following locations:
- Windows folder as Reload.vbs
- Windows\System folder as Linux32.vbs
- Windows\System folder as a randomly generated 4- to 8-character file ending in .gif.vbs, .jpg.vbs, or .bmp.vbs
The worm checks whether Winfat32.exe exists in the Windows\System folder. If the file is present, the worm randomly sets the Internet Explorer Start Page to one of the following Web addresses:
- http:/ /members.fortunecity.com/plancolombia/macromedia32.zip
- http:/ /members.fortunecity.com/plancolombia/linux322.zip
- http:/ /members.fortunecity.com/plancolombia/linux321.zip
Depending on which file is downloaded, the worm performs the following action:
- Copies Macromedia32.zip as the hidden file Important_note.txt in the Windows folder and modifies the registry to load this text file at startup.
- Copies Linux321.zip as \Windows\Syslogos.sys to replace the screen that is displayed when Windows has shut down.
- Copies Linux322.zip as \Windows\Logow.sys to replace the screen that is displayed when Windows is shutting down.
The worm also creates the file Us-president-and-fbi-secrets.htm in the Windows folder, but this file is not loaded.
The worm uses MAPI calls to the Microsoft Outlook application and creates messages by iterating through all addresses in the Microsoft Outlook address book. The worm marks these recipients using the registry in an attempt to send them the mail only once.
The randomly generated file names appear in all capital letters and are formatted so that every even numbered letter is a vowel, for example, SOXU, DEII, YIEUHUDI, BILALU, and so on.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":