Once ran the worm creates a mutex
to signal its presence in the system, installs itself in %SYSTEM%\MSBlast.exe
) and creates a new value in the registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
The value is called windows auto update
and points to copied file in order to remain in computer’s memory each time it is restarted.
It spreads exploiting Microsoft Windows DCOM RPC vulnerability
. When detects a vulnerable system it issues via the exploit a TFTP command on it to fetch a copy of the worm, which afterwards is executed.
As payload the worm initiates denial of service (DoS) attacks on windowsupdate.com
after the 15th of August 2003.
In its body there are included two strings, which are not used: I just want to say LOVE YOU SAN!!
and billy gates why do you make this possible ? Stop making money and fix your software!!
The worm was written in C
and compiled with LCC-Win32