When executed, this worm connects to one of the following sites to check the date and time:
Further execution of this worm will continue only if the date is before May 3rd 2009.
On successful execution, the worm drops the following file:
It creates a service with a random file name using the above file. Once the service is created, the worm deletes the above ".tmp" file.
The worm then patches the following system file in the memory:
This is done to remove the limitation set on the maximum number of TCP connection attempts that can be made by the infected machine.
- %System% is a variable that refers to the System folder
By default, this is C:\Windows\System32 for Windows XP
This worm creates the following mutex to ensure only one instance of the worm is running in memory:
The worm Connects to one of the following URLs to find the IP address of the infected machine:
The worm then starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.