It’s a little old now, I’m surprised I hadn’t blogged about it before now, but I feel it’s still an interesting little exploit to mention.
From my naive understanding of the exploit, it masks itself as a Java-esque app and trys to gain port listening access surreptitiously.
The novel part is that once it can, it searches Reddit for a partial MD5 hash based on the current date, which would return a list of ips published by a former /u/vtnhiaovyd on a former r/minecraftserverlists.
These IPs are of course C&C servers, from which the worm gets further commands.
It’s all been long cleaned up, but I still find it an amusing and novel little worm.