Presence of the following files:
Notifications from the firewall that a process having one of above first two paths is trying to connect to Internet
Please let BitDefender disinfect your files.
Ovidiu Visoiu, virus researcher
In order to trick the user, the infected files have the icon of a folder, but they are executables. When is launched the worm drops three files:
The first two are copies of launcher and the DLL is a simple text file that contains printable characters such as current day or a message ("Don't kill me...please");
A field, userinit, of the registry key [HKLM\Software\MicrosoftWindows\WindowsNT\CurrentVersion\Winlogon] is modified from it's value %Root_Drive%\Windows\System32\userinit.exe to %Root_Drive%\Window\userinit.exe, so that the worm will be active after system reboot.
After the copies of the worm are launched the initial process will be closed and the following actions will take place.
A login to scs.msg.yahoo.com server is tried, YM! being a way to spread itself.
It tries to download a file, which is the same worm repacked, from URLs like:
the file will be saved in Windows\System32\Task.exe, and launched. This will replace the old two copies and associated processes with it's own copies and delete itself.
System.exe process opens an UDP listening port(106x).
The worm monitors removable storage devices and create on this a copy secret.exe and autorun.inf in order to infect other machines on which AutoRun service is not disabled
Modifies System32\drivers\etc\hosts redirecting URLs to 127.0.0.1, loop-back address.