When the worm is executed, it copies itself as the following file:
It also creates the following registry entry so that runs when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LssaShellEx" = "%SYSTEM%\lsass.exe -reg "
It then attempts to spread by enumerating all drives from A: to Z: and by copying itself to other computers through the following share folders:
- \C$\Documents and Settings\All Users\Start Menu\Programs\Startup
- \D$\Documents and Settings\All Users\Start Menu\Programs\Startup
- \D$\Documents and Settings\user\Start Menu\Start Menu\Programs\Startup
It also attempts to copy itself to the following shared folder but the code contains a bug and is missing a backslash (\) between "user" and "Start Menu":
\C$\Documents and Settings\userStart Menu\Start Menu\Programs\Startup
The worm executes a net view to obtain available shares.
It may update and delete information within a database (MS SQL server) if it is accessible by OLEDB. It attempts to manipulate data in relation to the following database names:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":