Once executed, the worm copies itself as "%SYSTEM%\\beta.exe" and creates the following registry keys in order to be executed at startup:
- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WINDOWS SYSTEM = "beta.exe"
- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\WINDOWS SYSTEM = "beta.exe"
The worm scans the local drives for files with extensions:
TXT, HTMB, SHTL, JSPL, CGIL, XMLS, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, HTML, WAB,
and scans them for email addresses which will be used for spreading.
To send an email the worm tries to guess the SMTP server of the email's domain, using suffixes like:
(e.g. for email@example.com it tries SMTP servers like mx.somewhere.com, mail.somewhere.com), or using the local user's SMTP server found in registry key
"HKCU\\Software\\Microsoft\\Internet Account Manager\\Accounts\\SMTP Server"
The mail's subject is one of following:
- *DETECTED* Online User Violation
- *WARNING* Your Email Account Will Be Closed
- [caracteres al azar]
- Account Alert
- Email Account Suspension
- Important Notification
- Notice of account limitation
- Notice: **Last Warning**
- Security measures
- Your Email Account is Suspended For Security Reasons
- *DETECTED* ONLINE USER VIOLATION
- *WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED
- ACCOUNT ALERT
- EMAIL ACCOUNT SUSPENSION
- IMPORTANT NOTIFICATION
- NOTICE OF ACCOUNT LIMITATION
- NOTICE: **LAST WARNING**
- SECURITY MEASURES
- YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS
The mail's body could be one of the following:
- The original message has been included as an attachment.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
- We attached some important information regarding your account.
- Please read the attached document and follow it's instructions.
- We attached your account information.
- Please confirm the attached document!
The message also contains an attached file, with random name or with a name from the following list, with extensions "[doc/htm/txt] .[exe/scr/pif]"
Also, the worm is an IRC bot, so it can recieve commands like download and execute any file from internet, including it's own updates, can send any local file, or system information.
The worm terminates a large list of processes that could detect or stop it, also it modifies the Windows hosts file to prevent the antivirus programs from updating.