When the worm is executed, it creates the following file:
%UserProfile%\Application Data\[RANDOM CHARACTERS].exe
It then creates the following registry entry, so that it starts when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].exe"
It then injects itself into the explorer.exe and winlogon.exe processes.
The worm also contains rootkit capabilities, which hide its file and registry entries.
The worm then opens a back door and connects to a predetermined IRC server, allowing an attacker to perform any of the following actions:
- Scan Internet Explorer and Firefox traffic for user names and passwords.
- Intercept FTP traffic and extract user name and passwords.
- Intercept traffic from instant messaging clients.
- Intercept and block specific IRC messages.
- Block downloads of .exe, .com, .pif, and .scr files.
- Modify responses to DNS requests, redirecting domains to specific IPs or blocking them entirely.
- Insert links into MSN Messenger messages in order to download copies of the worm.
- Copy itself to removable drives and create autorun.inf files to spread.
It then spreads through removable drives, MSN Messenger, and by exploiting the following vulnerabilities:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":