It also creates the following files in the Windows system directory:

base64exe.sys
base64zip.sys
frun.txt

The worm creates a file called 'bloodred.zip' in the Windows root directory.

Skybag then registers itself in the system registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "Microsoft Kernel"="%System%\Windows_kernel32.exe"

This ensures that the worm will be launched each time the system is rebooted.

Skybag then displays the following dialogue box:

'Windows encountered an error reading the file'

The worm sends itself to all email addresses harvested from the victim computer. The worm looks for email addresses in Outlook Address Book and in files with the following extensions:

adb
asp
dbx
doc
htm
html
jsp
rtf
txt
xml

The worm uses the recipient's SMTP server to send messages to all harvested addresses.

Messages are not sent to addresses which contain the following text strings:

@avp
@fsecure
@hotmail
@microsoft
@mm
@msn
@noreply
@norman
@norton
@panda
@sopho
@symantec
@virusli

administration@ 
management@ 
Server@ 
service@ 
userhelp@

Detailed Information
Email Account Information
Server Error
URGENT PLEASE READ!
Urgent Update!
User Info
User Information

Our server is experiencing some latency in our email service.
The attachment contains details on how your account will be affected.

Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details

Our Email system has received reports of your account flooding email servers. There is more information on this matter in the attachment

We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.

Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment

There is urgent information in the attachment regarding your Email account

Account_Information
Details
Gift
Information
Update
Word_Document

with one of the following extensions:

.cmd 
.pif 
.scr 
.zip

Propagation via local and file-sharing networks

The worm searches the computer for folders where the name contains the word 'Share' and copies itself several times to each folder found, under the following names:

ACDSEE10.exe
Adobe Photoshop Full Version.exe
Battlefield 1942.exe
Brianna banks and jenna jameson.mpeg ..exe
Britney spears naked.jpeg .exe
Cisco source code.zip ..exe
DVD Xcopy xpress.exe
jenna jameson screensaver.scr
Kazaa Lite.zip ..exe
NETSKY SOURCE CODE.zip ..exe
Norton AntiVirus 2004.exe
Opera Registered version.exe
Snood new version.exe
Teen Porn.mpeg ..exe
Visual Studio.NET.zip .exe
WinAmp 6.exe
Windows crack.zip ..exe
Windows Longhorn Beta.exe
WINDOWS SOURCE CODE.zip ..exe
WinRAR.exe

Skybag.a closes the Windows Task Manager application, if it is open.

The worm overwrites the %System%\DRIVERS\ETC\HOSTS file with the following text:

127.0.0.1 www.norton.com 
127.0.0.1 norton.com 
127.0.0.1 yahoo.com 
127.0.0.1 www.yahoo.com 
127.0.0.1 microsoft.com 
127.0.0.1 www.microsoft.com 
127.0.0.1 windowsupdate.com 
127.0.0.1 www.windowsupdate.com 
127.0.0.1 www.mcafee.com 
127.0.0.1 mcafee.com 
127.0.0.1 www.nai.com 
127.0.0.1 nai.com 
127.0.0.1 www.ca.com 
127.0.0.1 ca.com 
127.0.0.1 liveupdate.symantec.com 
127.0.0.1 www.sophos.com 
127.0.0.1 www.google.com 
127.0.0.1 google.com

If the infected computer's system date is November 15, 2004 or later, the worm attempts to conduct DoS attacks against www.kazaa.com

Also the worm attempts to block the work of a number of firewalls and antivirus monitors.