Windows 95/98/ME:
1. It will create the file INETD.EXE in the Windows directory and it will alter the "run=" line in the WIN.INI file (also located in the Windows directory) to read "run=inetd.exe".
2. It will then create the files KERN32.DLL and HKSDLL.DLL to the Windows\System directory, and will create the following key in the Registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32= kern32.exe
Windows NT/2000:
1. It will create the files KERN32.DLL and HKSDLL.DLL to the Windows\System directory, and will create the following key in the Registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32= kern32.exe
2. It will create the file INETD.EXE in the Winnt directory and will create the following registry key:
HKEY_USERS\Software\Microsoft\WindowsNT\CurrentVersion\Windows\RUN= C:\Winnt\Inetd.exe
Removing the Worm
The worm was first discovered earlier in April, so the anti-virus software on your computer should be able to remove the infected files from your computer so long as it is completely up-to-date. If you do not currently have any anti-virus software on your computer and you are a member of the University of Maryland College Park, you can download McAfee anti-virus software
here, install it on your system, and update it (complete instructions for downloading and installing, or simply updating, are available from the same download web page).
If your anti-virus software cannot fully remove the worm, follow the removal instructions on Symantec's web page at:
http://www.symantec.com/avcenter/venc/data/pf/w32.badtrans.13312@mm.html