This worm drops the following copies of itself:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It adds the following registry key as part of its installation routine:
This worm creates the following registry entry to enable its automatic execution at every system startup:
system32 = "%System%\system32.exe"
(Default) = "%Windows%\svchost.exe"
CPQEASYBTTN = "%System%\BttnServ.exe"
dllcache = "%System%\dllcache\dllcache.exe"
Propagation via Removable
This worm drops copies of itself in all removable drives.
This worm uses the following file name for its dropped files to trick users into thinking that it is a legitimate application:
It bears the icon of files related to the following application:
Analysis By: Michael Cabel