Worm_Downad.KK may be downloaded or dropped from remote sites by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

This worm drops a copy set to allow restricted access with FILE_EXECUTE for user Everyone. It then registers itself as a system service to ensure its automatic execution at every system startup.

This worm connects to time servers to determine the current date. It then generates random strings based on the current date and uses certain domain extension to add to this random string for the generated Web sites. This worm may generate up to 50,000 random URLs based on the given strings. However, it only attempts to connect to around 500 random generated URLs at a time.

This worm terminates processes that contain certain strings, if found running in memory. It also blocks access to Web sites that contains strings related to antivirus programs. This routine allows this worm to avoid early detection and consequent removal.

Technical details can be found at this Trend Micro page.