This worm arrives through network shares. Upon execution, it drops a copy of itself in the Windows system folder.
It generates IP addresses and spreads by dropping a copy of itself in several default shares of target addresses. For shares with restricted access, it uses NetBEUI functions to gather available lists of user names and passwords. It also uses a list of user names and passwords to gain access to these shares.
It has backdoor capabilities. It connects to an Internet Relay Chat (IRC) server and joins a specific channel. Once connected, it listens for commands coming from a remote malicious user, and it executes these commands on the affected system.