the presence of files and registry key from tehnical descripion
Increased processor and network activity
Please let BitDefender disinfect your files.
Ovidiu Visoiu, virus researcher
This worm will try to spread through following IM programs: Skype, Yahoo! Messenger, Windows Live Messenger, AIM, ICQ
. In order to accomplish this job, it will search opened windows of the above mentioned programs and once found it will search for some zones of interest (input boxes,lists,subwindows), it will retreive data (users) from there and will send itself to those users, synthesizing keyboard and mouse inputs.
When executed it will make a copy of itself in %Temp%\vshost32.exe and register this copy to startup:
Userinit = %System%\userinit.exe,%Temp%\vshost32.exe
Also as a spread routine, it will create an autorun.inf file pointing to a hidden copy of the worm on each partition, network mapped drive, removable storage drives.
It will try to access a php script using the paramesters "12345" and "USA" from the following locations:
win.studyingcenter-org.com, ns.dunno-net.com, fubar.cheapsocks.cn; unavailable at the moment of description.