The worm is a 53kb Windows PE executable file written in Visual Basic and compressed with UPX file compressor. The worm spreads itself with the help of the following files:
psexec.exe - a utility that allows to run processes on remote computers
mswinsck.ocx - standard WinSock library for VB applications
- batch files that spread the worm to remote computers (dropped by the worm)
mwd.exe - the worm's executable file
The batch scripts that the worm drop are used to get access to IPC$ and ADMIN$ share protected by a weak password or no password at all. When such a share is discovered, the scripts copy the worm's main file mwd.exe and also psexec.exe and mswinsck.ocx files to \ADMIN$\System32\ folder (which is a Windows System folder on a remote computer) and start the worm's file remotely with psexec.exe utility. As a result a remote computer becomes infected with the worm. After spreading the worm tries to delete IPC$ and ADMIN$ shares.
On an infected computer the worm creates a startup key for its file in System Registry:
"Windows Management Instumentation" = "%winsysdir%\mwd.exe"
The worm has a few additional features. It listens to the specific port and can allow remote hackers to log into it and perform the following actions:
- perform DoS (Denial of Service) attack
- get system information
- search for specified files on a hard disk
- redirect traffic (works as a proxy)
- scan for open ports