To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
This worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
This worm drops a copy set to allow restricted access with FILE_EXECUTE for user Everyone. It then registers itself as a system service to ensure its automatic execution at every system startup.
This worm connects to time servers to determine the current date. It then generates random strings based on the current date and uses certain domain extension to add to this random string for the generated Web sites. This worm may generate up to 50,000 random URLs based on the given strings. A list of the URLs that it generates can be found in this Trend Micro page. However, it only attempts to connect to around 500 random generated URLs at a time.
This worm terminates processes that contain certain strings, if found running in memory. It also blocks access to Web sites that contains strings related to antivirus programs. This routine allows this worm to avoid early detection and consequent removal.
For additional information about this threat, see:
Description created: Mar. 7, 2009 12:44:12 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.