Once executed, the worm copies itself as: %Windir%\svchost.exe

The worm creates the following registry entry so that it is executed every time Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"svchost" = "%Windir%\svchost.exe"

The worm then creates the following registry subkey and value: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\System7154\"GL" = "[DATE]"

The worm opens a back door on the compromised computer on TCP port 7154.

The worm displays a dialog box with one of the following texts:

  • "System Failure #7154"
  • "I'm not a puppet. I am a grenade"
  • "You has been infected with System.7154N"

The worm spreads by sending a copy of itself as an attachment to email addresses gathered from the compromised computer. The email has the following characteristics:

"No me olvido de ti"

"te pongo adjunto u screen saver espero que te guste a mi me parecio cuando menos interesante saludos!!!!!!"

The zip file attachment contains one of the following file names:

  • Best_pictures1992.exe
  • Fidel Castro.exe
  • Shakira_comico.exe
  • VIH.exe
  • administracion de redes.exe
  • amor.exe
  • base de datos.exe
  • bola magica.exe
  • calientitas.exe
  • carta de amor.exe
  • chistes.exe
  • conversador.exe
  • encuesta.exe
  • famosas.exe
  • fucker_bromas.exe
  • hacking en espanol.exe
  • mide tu inteligencia.exe
  • mujeres.exe
  • muy gordas.exe
  • penetracion segura.exe
  • querida lisa.exe
  • revelacion.exe
  • sexo seguro.exe
  • te quiero decir....exe
  • te quiero.exe
  • test.exe
  • tu futuro.exe
  • vahinas.exe
  • zodiaco.exe
  • zoofilia.exe

The worm closes windows with the following titles:

  • Windows security alert
  • Alerta de seguridad de windows

It scans the compromised computer and infects any .exe files it finds except those found in the following folders:

  •  %Windir%
  •  %ProgramFiles%
Community content is available under CC-BY-SA unless otherwise noted.