The worm’s entire payload is executed through a code that is injected into the address space of the process “EXPLORER.EXE”. The payload is not executed if any one of the following conditions is fulfilled:
- The following branch is missing from the system registry:
[HKCUControl PanelPowerCfgPowerPolicies ]
- The current user’s account name is:
- The following libraries are loaded in the worm’s address space:
- The worm’s original file was saved in the system as:
After injecting the malicious code through the process “EXPLORER.EXE”, the following actions are performed:
- To ensure that the process is unique within the system, a unique identifier is created, which is named:
- To provide access to the infected system, the following named pipe is created:
- A connection is established to the malicious user’s server:
Following a command by the malicious user, the worm can perform the following actions on the infected computer:
- Organize a DoS attack on specified servers.
- Download files from links sent to it. The downloaded files are saved in the current user’s temporary files directory “%Temp%” using random names.
- Download updated version of the worm from the malicious user’s server.
- Analyze files of settings for these browsers:
for the purpose of stealing passwords saved in them.
- Steal and modify browser cookies. To do this, the worm uses the “sqlite” module built into the browser Mozilla Firefox.
- The actions described in the “Installation” and “Propagation” sections.
The worm makes exchanges with the malicious user’s server through messages of the following type:
KB data sent: <number>
SYN packets sent: <number>
flood stopped: <string>
Drive infected: <string>
USB spreader running
P2P Copy to: <string>
MSN spreader running
MSN spread started, link: <string>MSN link sent
- By command from the malicious user, it is also possible to substitute the “hosts” file:
At the time of writing, the malicious user’s server was not responding.