When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm’s main malicious payload and:
The worm may also download files from links of the type shown below:
rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:
http://www.w3.org http://www.ask.com http://www.msn.com http://www.yahoo.com http://www.google.com http://www.baidu.com
Downloaded files are saved to the Windows system directory under their original names.