This worm may be downloaded by another malware and/or downloaded unknowingly by a user when visiting malicious Web sites. It creates folders. It drops files/components. Trend Micro detects the component file as CRYP_NSANTI-2.
It creates registry entries to enable its automatic execution at every system startup. It also modifies registry entries to hide files with both
System and
Read-only attributes.
It drops copies of itself in all physical and removable drives. It drops an
AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
It accesses Web sites to download file(s). Trend Micro detects the downloaded file as WORM_ONLINEG.R. As a result, malicious routines of the downloaded files are exhibited on the affected system.
More...