According to Microsoft, the worm works by searching for the "services.exe" file and then becomes part of that code. It copies itself into the Windows system folder as a random dll fileand gives itself a 5-8 character name, such as piftoc.dll. The worm then modifies the Windows Registry to run the infected dll file as a service. Once up and running, it creates an HTTP (web) server, resets your machine's System Restore point (making it harder to recover from) and proceeds to download files from a malicious web site.
"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."
"Of course, the real problem is that people haven't patched their software. If people do patch their software, they should have little to worry about," he added.