Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
Upon execution of the worm's file, it creates a copy of the file "%System%\msi.dll" as:
It then modifies this file with 21 bytes at the entry point, in order to load the file, %Temp%\tmp[Randomnumber1].tmp.
To complete loading the file, a series of additional changes must performed:
The cumulative effect of these changes cause the file, Temp%\tmp[Randomnumber1].tmp to be loaded as a Windows service.
The worm also creates the following files on Removable and Fixed Drives:
While active, the worm will attempt to connect to a remote site (see above). Once connected, it receives encrypted data from the remote server, which it then decrypts in order to create and load an executable file as:
The autorun.inf file created during installation contains the following strings:
Attempts to connect with HTTP to:
Creates these keys:
Date Created: 2009-03-26 02:46:56.0
Date Last Modified: 2009-03-26 07:46:55.0