When executed, the worm opens up a Notepad program with garbage data in it. The worm instals the library shimgapi.dll to the %system% folder. The library is a trojan horse, making remote control of the computer possible, including installation of any program. It opens TCP ports between 3127 - 3198 for communication. The worm copies itself to the taskmon.exe file in the %system% folder.
The worm adds its own keys to the following registry items:
It adds the keys TaskMon with the value %System%\taskmon.exe - this item launches the worm when the Windows starts.
It puts the value %SysDir%\shimgapi.dll to the Default item - this item launches the trojan horse in the Explorer.exe's memory space.
It also creates a subkey in
The worm will perform the DDoS (distributed denial of service) attack on 1st February 2004 to the site www.sco.com
. It will stop all of its activity on 12th February 2004. The trojan horse remains active after this date however.