http://upx.sourceforge.net

Usando su propio SMTP (Simple Mail Transfer Protocol) se auto-envía a las direcciones de correo contenidas en la Libreta de Direcciones de Windows (WAB) o de archivos con las siguientes extensiones:

• txt
• htm
• dbx
• tbi
• tbb

Remitente, emplea la técnica Spoofing que disfraza la identidad de los remitentes.

Asunto, aleatoriamente uno de los siguientes:

• Re: User ID Update
• Fwd: Your Funds are Eligible for Withdrawal
• find a solution with this customer
• No Subject
• Re: Help Desk Registration
• failure notice
• Fwd: Password
• when should i call you?
• RE: Re: A question
• Knowledge Base Article
• Open Invoices
• Returned mail: see transcript for details
• building maintenance
• [Fwd: Broken link]
• WinXP
• troubles are back again
• Questions
• Order Approval
• units available
• progress news
• big announcements
• Need help pls
• You have recieved an eCard!
• What is this ????
• Deactivation Notice
• Message recieved, please confirm
• My funny stories
• Cost Inquiry
• Re: payment
• referrences
• Webmail Invite
• RE: quote request

Contenido, uno de los siguientes:

• Hello,
  Sorry, I forgot to attach the new contact information. 
  Please view the attached (.pdf) contact sheet. 
  Sincerely, 
  User 
• Hello,
  I resent this email as attachment because
  it was previously blocked by your email filters.
  Please read the attachment and respond.
  Thanks,
  User
• Hello,
  I was in a hurry and I forgot to attach an important 
  document. Please see attached.
  Best Regards,
  User
• Hello,
  Your email was received.
  YOUR REPLY IS URGENT!
  Please view the attached text file for instructions.
  Regards,
  User
• Hello,
  Your email was sent in an INVALID format.
  To verify this email was sent from you,
  simply open the attached email (.eml) file
  and click yes in the sender options box.
  Thank You,
  User
• Hello,
  My PC crashed while I was sending that last email.
  I have re-attached the document of yours that I discovered.
  Please read attached document and respond ASAP.
  Sincerely,
  User
• Hello,
  What version of windows you are using?
  This last document I received from you came out weird.
  Please see the attached word file and resend the file to me.
  Many thanks,
  User
• ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
  Hello,
  The previous email you sent has been recognized as spam.
  This means your email was not delivered to your friend or client.
  You must open the attached file to receive more information.
  ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
• ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
  You are currently unable to send emails.
  This may be a billing issue.
  Please call the billing center.
  The # for the billing office is located in the attached
  contact list for your convenience.
  ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
• ***URGENT: SERVICE SHUTDOWN NOTICE***
  Due to your failure to comply with our email
  Rules and Regulations, your email account has been
  temporarily suspended for 24 hours unless we are contacted regarding
  this situation.
  You must read the attached document for further
  instructions. Failure to comply will result in termination of your account.
  Regards,
  Net Operator
  ***URGENT: SERVICE SHUTDOWN NOTICE***
• last request before refunding

Anexado, uno de los siguientes:

• Ctutorial.doc [espacios] .exe
• doc.doc [espacios] .exe
• documents.doc [espacios] .exe
• atach.doc [espacios] .exe
• file.doc [espacios] .exe
• read.doc [espacios] .exe
• readme.doc [espacios] .exe
• contact.doc [espacios] .exe
• mail.doc [espacios] .exe
• att.doc [espacios] .exe
• warning.doc [espacios] .exe
• db.doc [espacios] .exe
• msg.doc [espacios] .exe
• message.doc [espacios] .exe
• messages.doc [espacios] .exe
• archive.doc [espacios] .exe
• arch.doc [espacios] .exe
• support.doc [espacios] .exe
• account.doc [espacios] .exe
• doc.zip
• documents.zip
• atach.zip
• file.zip
• read.zip
• readme.zip
• contact.zip
• mail.zip
• att.zip
• warning.zip
• db.zip
• msg.zip
• message.zip
• messages.zip
• archive.zip
• arch.zip
• support.zip
• account.zip

Si tiene la extensión .ZIP, contiene archivos con una o dos extensiones .jpg y .pif

Al activarse el gusano se copia a la carpeta %System% como tutorial.doc [espacios] .exe y para ejecutarse la próxima vez que se re-inicie el sistema genera la siguiente llave de registro:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"syslogin.exe" = "%System%\syslogin.exe" 

A continuación se copia a: 

• %System%\dl.exe
• %System%\ndisapi.dll
• %System%\ndisrd.sys

%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP y Windows Server 2003.