Upon first execution the worm copies itself to %WINDIR%\tsrv.exe it also drops the files msji449c14b7.dll, cmut449c14b7.dll, hpzl449c14b7.exe into %SYSDIR% and the file tsrv.dll into %WINDIR%.
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
Then it displays the following message:
and restarts itself from a newly created copy.
It may also create additional files in %WINDIR%, with filenames starting with "tsrv", to store its data, such as harvested e-mail addresses.
Adds the value:
"tsrv" = "%WINDIR%\tsrv.exe s"
to the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to make sure it's executed at system startup.
Apends the string " msji449c14b7.dll" to the value "AppInit_DLLs" in the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
May try to download and execute additional files from the internet.
Harvests e-mail addresses from files having one of the following extensions:
pl
msg
ods
tbb
dbx
txt
mbx
php
mht
adb
cgi
oft
eml
wab
jsp
xml
asp
nch
cfg
wsh
htm
uin
|
