http://www.nsclean.com/psc-kaz.html<snippage>
Analysis of these new trojans has determined that once initiated, they begin making multiple copies of themselves into a subfolder of the main "Windows" folder on the affected machines. The files produced tend towards 6 new copies of the original trojan per minute, rapidly filling up the hard disk of the victim with deliberately named filenames of differing size. The resizing of the copies and the filenames, often containing names shown above in order to entice downloading, makes it extremely difficult for a Kazaa or similar file sharing host to be able to determine which files are legitimate and which are backdoors. Because of the manner in which antiviruses function, it would also be difficult for a pattern match of files to succeed as the sizings and spacings of the contents of the files containing the backdoor can be unpredictable, and therefore potentially elusive.
On machines which contain KAZAA, the backdoor trojan adds an entry to the registry as follows:
HKEY_CURRENT_USERSoftwareKazaaLocalContent "Dir6"
which points to a folder called:
C:WINDOWSUser32
which contains the multiple copies of the trojan under numerous "interesting names" in order to entice parties visiting the Kazaa server to download the trojan. In our testing, an average of 6 new files were created every minute.
</snippage>