This worm arrives as attachment to email messages spammed by another malware or a malicious user,it also Propagates via peer-to-peer networks. It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.It drops other malicious component to system directory and creates registry key(s) as part of its installation routine.
It drops copies of itself in folders used in peer-to-peer networks. It uses attractive file names for its dropped copies. It sends junk email and uses the copy of itself as attachment and induce user to open it.

This worm arrives as attachment to email messages spammed by another malware or a malicious user.The content of email has some different forms.We get one of them and place a snapshot of these emails here,take a look:

it harvests email adresses from file using the following extention in the affected system:

•  txt
•  htm
•  xml
•  php
•  asp
•  dbx
•  log
•  nfo
•  lst
•  rtf
•  xml
•  wpd
•  wps
•  xls
•  doc
•  wab

and it dont send the email to the address with following strings:

• berkeley
• mit.e
• ibm.com
• debian
• kernel
• linux
• usenet
• rfc-ed
• sendmail
• arin.
• sun.com
• isi.e
• isc.o
• secur
• acketst
• apache
• tanford.e
• utgers.ed
• mozilla
• firefox
• redhat
• sourceforge
• slashdot
• samba
• cisco
• syman
• panda
• avira
• f-secure
• ERS\flp
• sopho
• www.ca.com
• ahnlab
• novirusthanks
• prevx
• drweb
• bitdefender
• clamav
• eset.com
• ikarus
• mcafee
• kaspersky
• virusbuster
• badware
• immunityinc.com
• avg.comsysinternals
• borlan
• inpris
• lavasoft
• jgsoft
• ghisler.com
• wireshark
• winpcap
• acdnet.com
• acdsystems.com
• acd-group
• bpsoft.com
• 2\DRI
• buyrar.com
• bluewin.ch
• quebecor.com
• alcatel-lucent.com
• ssh.com
• winamp
• nullsoft.org
• example
• mydomai
• nodomai
• ruslis
• virus
• messagelabs
• honeynet
• honeypot
• security
• idefense
• qualys
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• rating
• contact
• somebody
• privacy
• service
• submit
• sales
• gold-certs
• the.bat
• admin
• icrosoft
• support
• ntivi
• linux
• listserv
• certific
• security
• ot\Syst
• secur
• abuse

and the email address of the sender also can be the following:

• e-cards@hallmark.com
• invitations@twitter.com
• invitations@hi5.com
• order-update@amazon.com
• resume-thanks@google.com

and the subject of the email may like following:
 

• You have received A Hallmark E-Card!
• Your friend invited you to twitter!
• Jessica would like to be your friend on hi5!
• Shipping update for your Amazon.com order 254-71546325-658732
• Thank you from Google!

and the email message may be like any of following:
 

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,Your friends at Hallmark.

be your friend on hi5!  I set up a hi5 profile and I want to add you as a friend so we can share pictures and start building our network.
First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends.

Shipping update for your Amazon.com order 254-78546325-658742.Please check the attachment and confirm your shipping details.

selected and others that may be a fit. Should there be a suitable match, we will be sure to get in touch with you. Click on the attached file to review your submitted application.Have fun and thanks again for applying to Google!

and the file name of the attachment may be like following:

• Postcard
• Invitation Card
• Shipping documents
• CV-20100120-112

This worm creates the following folders:

C:\Documents and Settings\{username}\Application Data\SystemProc
It drops the following copy of itself:

• %System%\GoogleUpdate.exe

It drops the following file:

• %System%\stacsv.exe - it detected by anchiva as:Worm/SPYBOT.2440@mm
• %Windows%\bootstat.ocx -none malicious file where save the keypress and the name running processes
• C:\Documents and Settings\{username}\Application Data\SystemProc\lsass.exe - also detected as Worm/SPYBOT.2440@mm

It adds the following keys as part of its installation routine:

• HKEY_CURRENT_USER\Software\Microsoft\Google1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4207UWF4-IXEP-UTPF-2TDE-6606643L1T10}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Google1

This worm creates the following registry entries to enable its automatic execution at every system startup:
 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sun Java Updater = "%System%\stacsv.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update = "%System%\GoogleUpdate.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sun Java Updater = "%System%\stacsv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4207UWF4-IXEP-UTPF-2TDE-6606643L1T10}
StubPath = "%System%\stacsv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RTHDBPL = "C:\Documents and Settings\{username}\Application Data\SystemProc\lsass.exe"

This worm drops copies of itself in the following peer-to-peer shared folders:
 

• C:\program files\bearshare\shared\
• C:\program files\edonkey2000\incoming\
• C:\program files\emule\incoming\
• C:\program files\grokster\my grokster\
• C:\program files\icq\shared folder\
• C:\program files\kazaa lite k++\my shared folder\
• C:\program files\kazaa lite\my shared folder\
• C:\program files\kazaa\my shared folder\
• C:\program files\limewire\shared\
• C:\program files\morpheus\my shared folder\
• C:\program files\tesla\files\
• C:\program files\winmx\shared\

It uses the following file names for its dropped copies:

• AOL Instant Messenger (AIM) Hacker.exe
• AOL Password Cracker.exe
• Brutus FTP Cracker.exe
• Counter-Strike KeyGen.exe
• DCOM Exploit.exe
• DivX 5.0 Pro KeyGen.exe
• FTP Cracker.exe
• Half-Life 2 Downloader.exe
• Hotmail Cracker.exe
• Hotmail Hacker.exe
• ICQ Hacker.exe
• IP Nuker.exe
• Keylogger.exe
• L0pht 4.0 Windows Password Cracker.exe
• Microsoft Visual Basic KeyGen.exe
• Microsoft Visual C++ KeyGen.exe
• Microsoft Visual Studio KeyGen.exe
• MSN Password Cracker.exe
• NetBIOS Cracker.exe
• NetBIOS Hacker.exe
• Norton Anti-Virus 2005 Enterprise Crack.exe
• Password Cracker.exe
• sdbot with NetBIOS Spread.exe
• Sub7 2.3 Private.exe
• UT 2003 KeyGen.exe
• Website Hacker.exe
• Windows 2003 Advanced Server KeyGen.exe
• Windows Password Cracker.exe

This worm drops copies of itself in all removable drives,and the content of the said AUTORUN.inf file like following strings:
[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1