This threat may arrive on the compromised computer as an email attachment.
When the worm executes, it copies itself to the following location:
Next, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Search" = "C:\Settings\search.cmd"
The worm then drops the following image file and displays it:
It may also create and display a window with the following title:
Next, the worm enumerates all system drivers from C through Z.
It then searches fixed drives for files with the following file extensions:
The worm then replaces the HTML body tag with the following script in each file that it finds:
Next, the worm attempts to spread by copying itself to shared Internet folders.
It also attempts to spread by copying itself to the following folders:
- %ProgramFiles%\Common files
- %UserProfile%\All Users\Application Data
- %UserProfile%\All Users\Desktop
- %UserProfile%\All Users\Documents
- %UserProfile%\All Users\My Music
- %UserProfile%\All Users\My Pictures
- %UserProfile%\All Users\My Videos
- %UserProfile%\All Users\Templates
- %UserProfile%\Application Data
- %UserProfile%\Local settings\Application Data
- %UserProfile%\My Documents
- %UserProfile%\My Documents\My Music
- %UserProfile%\My Documents\My Pictures
- %UserProfile%\My Documents\My Videos
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":