This worm may be dropped by other malware. It may arrive via network shares. It may be downloaded unknowingly by a user when visiting malicious Web sites.
It drops copies of itself.
It registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating registry keys/entries. It modifies registry entries to enable its automatic execution at every system startup.
It disables the DCOM protocol. It restricts anonymous access to the affected system. It disables Security Center functions. It disables Windows Firewall settings. It disables Task Manager. It does the said routine to avoid termination from the affected system's memory. It shortens the length of time the system waits for services to stop before shutting down. It modifies registry entries to disable automatic update for Service Pack 2 on systems running Windows XP. It modifies registry entries to disable specific services. It creates registry entries to disable administrative shares. It creates registry key(s)/entry(ies) as part of its installation routine.
It searches the network for certain shares, into which it attempts to drop copies of itself.
It takes advantage of software vulnerabilities to propagate across networks.

It opens random ports to connect to an Internet Relay Chat (IRC) server, where it joins an IRC channel. Once it establishes a connection, it acts as a backdoor that enables a remote malicious user to issue several commands, which it executes locally on an affected system.
It is capable of information theft. It uses a network sniffer to go through network traffic in search of certain strings. It terminates certain processes, if found running in memory.


More...