Once executed, the worm creates the following file:
It then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%Windir%\mssys.dll"
Next, the worm searches for RAR archives on the compromised computer and inserts a copy of itself using one of the following file names:
The worm connects to the following location to check for updates:
It downloads updated copies of itself from the following location:
The worm propagates by dropping an autorun.inf file in the root folder of removable, network, and local drives.
It then drops itself in the same location using one of the following file names:
The worm stops executing if any of the following processes are detected:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":