Upon execution it creates a copy of itself to the following path:
Note: %UserProfile% refers to the current user’s profile folder.
It also creates copies of itself in removable drives with the following filename:
and also drops the following 0 byte file in removable drives:
It spreads by creating copies of itself in removable storage devices and mounted network shares. It will create an “autorun.inf” to allow it to automatically execute itself when attached to another system with auto run enabled.
It changes the attributes of the directories in the affected drive to hidden and create copies of itself with the same filename as the hidden directory.
It checks for files with the following extension in the removable drives and changes its attributes to hidden and create copies of itself with the same filename as the hidden file.
It adds copies of itself in ZIP and RAR archives. Added copy have the following filename:
It will create the following to the registry to automatically execute at startup:
[malware filename] =” %UserProfile%\[Random name].exe /e"
NOTE: the command line option /e shown above may differ as the worm updates this during different stages of its executions. Other possible options include "/g", "/r", "/p" and "/s".
It disables the windows update by setting the NoAutoUpdate value to 1
NoAutoUpdate = dword:00000001
It sets the following registry value to keep the hidden files hidden:
ShowSuperHidden = dword:00000000
It connects to one of the following domains on either the tcp port 8000, 8003 or 9004:
Once connected to the specific port, the C&C server will automatically send out a download command with link to the file to be downloaded.It will then attempt to download and execute the file pointed to by the link.