Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
It happens in the background as part of the communications that goes on through the network.