When the worm executes, it creates the following files:
The worm then copies itself as the following file to all drives, including removable devices:
It also creates the following file so that it executes whenever a drive is accessed:
Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Worms" = "C:\WINDOWS\system32\logon.bat"
It also creates the following registry entries, which affect security settings:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
The worm is designed specifically to delete all .mp3 files on all drives.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":