|Upon first execution the worm copies itself to %SYSDIR%\lmovie.exe and drops the files %SYSDIR%\olemdb32.dll (detected as W32/Sality.J) and %WINDIR%\vcualts32.exe (detected as W32/Bagle.EG@dl). The files %SYSDIR%\lmovie.exeopen and %SYSDIR%\lmovie.exeopenopen (both detected as W32/Sality.AC) may also be droped. Then, before it terminates, it executes the files vcualts32.exe and lmovie.exe.|
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
It adds the value:
to the key:
to make sure it is executed at startup.
Creates copies of itself under the following names:
anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe
in all directories containing the string "shar" in their name. This is done in an attempt to spread via P2P networks and network shares.
It infects all suitable excutables it finds. All infected files are detected as W32/Sality.J. The file %SYSDIR%\olemdb32.dll is embedded in the infected files.
The file %WINDIR%\vcualts32.exe tries to download and execute files from the Internet.
Harvests e-mail addresses from files having the following extensions:
Sends itself as an attachment to harvested addresses.
The e-mail has one of the following subjects:
Will You Be My Valentine?
Love you with all my heart!
See you tonight!
Come Be With Me, my Love!
My dream is coming true!
The attachment has one of the following names:
Avoids sending itself to e-mail addresses having one of the following substrings: