This worm may be downloaded unknowingly by a user when visiting malicious Web site(s).

It creates registry entry(ies) to enable its automatic execution at every system startup.

It modified registry entry(ies) to hide files with both System and Read-only attributes.

It drops copies of itself in all physical and removable drives. It also drops an AUTORUN.INF file to enable the automatic execution of its dropped copies every time the said drives are accessed.


This worm accesses Web sites to download file(s), including WORM_ONLINE.CS. The downloaded .RAR file contains an encrypted URL code which can download a copy of WORM_ONLINE.CS. As a result, routines of the downloaded files are also exhibited on the affected system.
It also drops component file(s). One of the .DLL files, which contains all malicious routines of its main malware component, is injected into the legitimate process EXPLORER.EXE. It terminates process(es), if found running in memory.


This worm steals information by collecting user inputs (specifically user names and passwords) from certain URLs.
It also monitors certain online game processes. It then sends the gathered information to several IP addresses. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

More...