The worm enters a user's system through the bogus E-mail message with the subject line "Invalid SSL Certificate." The message falsely warns readers that an invalid SSL certificate used by many Web sites may cause a buffer over-run in Microsoft Internet Explorer and enable an attacker to access the user's system. The E-mail also contains the attachment, sslpatch.exe.
Users who click on the attachment will execute the virus, which then seeks a live connection to the Internet. If no connection is found, the virus activates its payload, which searches for all executable files in the directory where the virus resides, as well as the parent directory. It will then encrypt all of the executable files it finds, rendering them useless.
If the virus does find an Internet connection, it will conduct a search for all * .ht * files in the "My Documents" directory. The virus copies an E-mail address from any file that contains a "mailto:" string and then mails a copy of itself using its own E-mail software.
Central Command lists the worm as a medium risk. So far, only one copy of the worm has been reported.