To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm may be dropped or downloaded from remote sites by other malware. It may also arrive via file sharing through removable drives.
Upon execution, this worm drops several files. It then registers itself as a system service to ensure its automatic execution at every system startup. It also modifies registry entries to hide files with both
System and
Read-only attributes.
This worm drops a component file also detected as WORM_HIDDEN.B on removable drives that have FAT or FAT32 partition. It also drops an
AUTORUN.INF to execute the dropped copy when an affected drive is accessed.
The dropped component file is used to find the worm on the infected drive, copy it to the Windows system folder and execute it. It needs this component file since the worm itself is encrypted on the drive and is not stored by conventional means.
It is saved in a random space on the drive which is tagged as corrupted. The said space is deemed unusable, thereby making the worm ?invisible? and not easily detected. This worm is written without using a file name and is called upon by using the disk offset where it is stored.
More...