This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.
The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic.
When installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name:
The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "TempCom"="%Windir%Fonts<random name>.com"
The worm modifies the following system registry entries:
“HideFileExt” = “1”
“Hidden” = “0”
Propagation via email
The worm sends itself to addresses harvested from the MS Windows address books on the victim machine.