When the worm's file is run, it copies itself to Windows System folder with a random name and creates a startup key for itself in the Registry. Then it drops a randomly-named spying component DLL file to the same folder. This DLL file is detected as ' Trojan-Spy.Win32.Iespy.g'.
Before spreading in emails the worm collects email addresses. Files with the following extensions are scanned to harvest email addresses:
The worm ignores email addresses that contain any of the following:
The worm sends emails with a URL to infected files. The subject can contain any of the following:
The URL is composed from the below given domain names, the above given file names and a '.zip' ending.
Currently ZIP archives with malware contain worm's executable files with double extension, for example:
[lots of spaces]
The spying component steals POP3 and MSN email account logins and passwords as well as lists of password-protected sites stored by Internet Explorer. Also the trojan keeps a log of every key that a user pressed. The stolen data is uploaded to the 'www.melaniecarroll.biz' website by using a webform.