The worm spreads through MSN messengers. When the user launches the worm, it will drop itself into the C:\ directory under one of the following names.
Drunk_lol.pif love_me.pif naked_party.pif sexy_bedroom.pif Webcam_004.pif
It will also drop Backdoor.Win32.rbotfly into the Windows directory.
adaware.exe lexplore.exe VB6.EXE Win32.exe
It will register this .exe into the System Registry to ensure it always starts on system bootup. See Payload for further details.
The worm will behave similarly to a rogue antivirus, blocking access to both Command Prompt and Task Manager. It will also prevent access to right-click menus, so said executables cannot be renamed.
The user will recieve the file in ".pif" format through MSN, under the aliases mentioned in Spreading Routine and Installation