When the worm is executed, it creates the following files:
- %UserProfile%\Local Settings\jlc3V7we\6EaqyFfo.zIK
- %UserProfile%\Local Settings\jlc3V7we\IZsROY7X.-MP
- %UserProfile%\Local Settings\jlc3V7we\WeP1xpBU.wA-
- %UserProfile%\Local Settings\jlc3V7we\eiYNz1gd.Cfp
- %UserProfile%\Local Settings\jlc3V7we\hypn4cqI.HSC
- %UserProfile%\Local Settings\jlc3V7we\lUnsA3Ci.Bz7
- %UserProfile%\Local Settings\jlc3V7we\t2HBeaM5.OUk
The worm then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"*J7PugHy" = "%System%\rundll32.exe \"%UserProfile%\Local Settings\jlc3V7we\IZsROY7X.-MP\",F1dd208"
It then attempts to open a back door on the compromised computer by connecting to the following location:
The remote attacker may perform the following actions:
- Log keystrokes
- Download and upload files
- Take screenshots
- Steal information from the computer's clipboard
- Record images and sound using the compromised computer's webcam and mic
It then attempts to stop processes related to antivirus applications.
It may monitor user activity by using the following applications:
- Internet Explorer
- Microsoft Messenger
- Google Talk
- Yahoo! Messenger
It then attempts to spread by copying itself on all removable drives and by copying itself to any VMware image that it finds.
It may also drop two files onto a Windows Mobile device and run them if one is connected to the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":