When executed, the worm opens up a Notepad program with garbage data in it. The worm instals the library shimgapi.dll to the %system% folder. The library is a trojan horse, making remote control of the computer possible, including installation of any program. It opens TCP ports between 3127 - 3198 for communication. The worm copies itself to the taskmon.exe file in the %system% folder.
The worm adds its own keys to the following registry items:
\HKLM\Software\Microsft\Windows\CurrentVersion\Run
\HKCU\Software\Microsft\Windows\CurrentVersion\Run
It adds the keys TaskMon with the value %System%\taskmon.exe - this item launches the worm when the Windows starts.
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
It puts the value %SysDir%\shimgapi.dll to the Default item - this item launches the trojan horse in the Explorer.exe's memory space.
It also creates a subkey in
\HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
\HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
The worm will perform the DDoS (distributed denial of service) attack on 1st February 2004 to the site
www.sco.com. It will stop all of its activity on 12th February 2004. The trojan horse remains active after this date however.