• Virus is 32 bit and has a compressed size of 16,896 bytes
  • When executed, virus searches the network by implementing instructions across available SMB client protocol, seeking other client targets which may have shares on IPC$ (typically Windows 2000/XP), C$ or Admin$
  • Virus attempts to gain access to these systems by attempting to guess passwords using a table of names to try, in a “brute-force” method – once virus gains access to the target, it attempts to copy itself to these target systems as “iraq_oil.exe”
  • Virus then initiates a remote session of Task Scheduler and creates a job to initiate the worm after a set period of time within five minutes