This description is for a worm that is capable of spreading through removable devices and network shares.
The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.
5020 (2007-04-30)Updated DAT
When executed, this worm drops the following files:
It then modifies the following registry entries:
The worm also enumerates all network shares and local drives and copies itself along with an autorun.inf file, which causes the worm to execute when users navigate to the folders containing the worm file.
This worm spreads by copying itself to network shares and to removable devices, along with an Autorun.inf file.
Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the Autorun.inf file could cause automatic execution of the worm.
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.