Copies itself to: %System%\Wins\Dllhost.exe NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe. NOTE: Svchost.exe is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it. Creates the following services: Service Name: RpcTftpd Service Display Name: Network Connections Sharing Service Binary: %System%\wins\svchost.exe This service will be set to start manually. Service Name: RpcPatch Service Display Name: WINS Client Service Binary: %System%\wins\dllhost.exe This service will be set to start automatically. Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm. The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255. The worm will send an ICMP echo, or PING, to check if the IP address constructed is an active machine on the network. Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability. Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions. Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe. Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch. Once the update has been download and executed, the worm will restart the computer so that the patch is installed. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.