Once present on the machine, Proslikefan creates copies itself in multiple locations and creates registry keys so the copied files will execute whenever Windows starts. Some variants of this worm family may also change the shortcut files (.lnk) present on the Desktop to point to copies of the worm, as well as the original intended application or destination. When these shortcuts are clicked, the worm copy is silently executed, then the original intended application or destination is launched or opened, so that the user sees no visible sign that the shortcut has been modified.
On execution, the worm attempts to contact multiple remote locations; if successful, it downloads additional files onto the affected machine.
The worm spreads by copying itself to mapped network shares and removable drives; an autorun file is also created on each drive so that the worm is executed whenever the drive is accessed. The worm also spreads by copying itself to folders used by file-sharing applications.
Proslikefan attempts to evade detection by checking for and stopping security-related processes. The worm also checks for the presence of antivirus programs, as well as other analysis programs commonly used by malware researchers. Finally, it modifies the hostsfile to prevent access to various security-related domains, including the websites of antivirus vendors.