When this worm is run, it sets up a server FTP thread and starts to scan 10,000,000 IP addresses in an attempt to find a vulnerable system at one of the targeted addresses. The vulnerable systems that it targets are Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the "Web Server Folder Traversal" security vulnerability as described in http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Additional advice on securing IIS web servers is available from:
When the worm finds a vulnerable system, it copies itself to the targeted system and sets it up to automatically run the worm, effectively making that system a zombie that participates in the hacker's e-war. To make sure that the worm is run during the next system startup, the worm adds the value
to the following registry keys:
This worm has two payloads:
- A denial-of-service attack is initiated against http:/ /www.microsoft.com.
- An email bombing session is started that sends email messages containing an obscene message to firstname.lastname@example.org.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":