The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.

Once run, the worm checks for the file C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.

If the file C:\Notworm does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .

If the default language of the computer is U.S. English, further threads cause Web pages to appear defaced. First, the thread sleeps two hours and then hooks a function, which responds to HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.

The HTML displays:

Welcome to http:// www.worm.com !
Hacked By Chinese!

This hook lasts for 10 hours and is then removed. However, reinfection or other threads can rehook the function.

Two versions of this worm have been seen in the wild. The second version does not cause the webpages to be defaced.

Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service attack on a particular IP address by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was www.whitehouse.gov. This IP address has been changed and is no longer active.

Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.