|Detected||Jul 29 2004 08:14 GMT|
|Released||Jan 31 2009 07:18 GMT|
|Published||Jul 29 2004 08:14 GMT|
This worm spreads via P2P networks as a PE file.
The worm itself is a Windows PE EXE file, 32KB in size and is written in Visual Basic.
When launched, the worm copies itself to the C:\Windows\System32\ directory under its current name and hides the file in the Windows system directory.
The worm then registers this file in the system registry, to ensure that the file is launched each time Windows is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\] Windows = <file name>
The worm copies itself to the following directories:
C:\My Shared Folder\ C:\Windows\My Shared Folder\ C:\Windows\Share\ C:\My Downloads\C:\Windows\My Downloads\
When launched, the worm conducts DoS attacks on the following sites:
www.microsoft.com www.aol.com www.yahoo.com www.google.com
by sending packets of maximum size (64 bytes) using the ping utility.
It will only do this between 0000 and 1800 and from 1900 to 2400.
If the worm is launched between 1800 and 1900 according to the local system clock, it will create a directory named Shared in the C:\ root directory, and will copy itself to this directory.
VirTool programs can be used to modify other malicious programs so that they cannot be detected by antivirus software.