Threat behavior
The worm checks if it is already running each time it is run. It then copies itself to the system folder under a random name and adds a registry value so it runs at Windows startup. It may also drop a .dll component that is registered as a Browser Helper Object and collects information entered by the user in web pages.
The worm creates a keylogger thread and adds data to a report file created under the System folder with a random name and a .dll extension. It connects to an internet site (common among variants) where it uploads files and collected data. It can also download files from that internet site. The worm can collect a lot of information about the system it is running on and the user that is logged on, such as cached passwords in Internet Explorer and Outlook Express as well as email accounts information.
The worm can copy itself to network shares (and therefore spread on other computers). Only certain versions of the worm include the mass-mailing component.
The worm collects email addresses from various files on the hard disk and sends mails to those addresses. The mail may contain the worm executable as an attachment or a link to a web page where the worm can be downloaded from. The sender of the mail is spoofed. Sometimes it uses the current user (the data is taken from the Outlook account) and sometimes an address found on the local hard disk. The worm uses its own SMTP client implementation. Some versions implement status reporting on the mass-mailer through the backdoor component.
The backdoor component can receive various commands to perform various actions such as upload and download files, create and terminate processes, upload system and user information, disable windows firewall, list folder components and even upload some of the files to the server.
Prevention
