When the worm is launched, it copies itself as sysmonxp.exe to Windows Directory and registers itself as sysmonxp in Run key in Windows Registry. Worm creates firewallloger.txt file and zipo0.txt, zipo1.txt, zipo2.txt, zipo3.txt, zippedbase64.tmp and base64.tmp help files in same directory. Then it launches notepad.exe too.

Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with xml, wsh, jsp, msg, oft, ***, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, php, txt, eml, html, htm and pl extension.

Message format is as following:
Sender address is faked.

Message subject and body are variable.

Message attachment name is random and could be zip archive or with executable extension.