Symptoms

Removal instructions:

Analyzed By

Technical Description:

This worm performs the following actions upon execution:

-    creates a copy of itself inside “%systemdrive%\RECYCLER\S-1-5-21-[10-digits-random]-[10-digits-random]-[4-digits-random]” directory, under the name “MsMxEng.exe”,  and hides this directory from being seen by explorer.
-    Registers  itself at the system start-up by creating a new entry in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"  under the name "Taskman" pointing to “%systemdrive%\RECYCLER\[malware-direcory]\MsMxEng.exe”.
-    injects its code into the memory space of  explorer.exe.

It spreads itself:

-    Through USB removable devices, by creating on such locations a folder named USBSYSTEM, where it makes a copy of itself under the name "usp.exe".  Additionally creates in the device root an "autorun.inf" file which will run the malware when the infected USB device is used on another computer.
-    Through MSN by sending malware links.
-    Through Kazaa and DC++ by sharing its directory.
-    Through P2P using LimeWire, eMule , iMesh, BearShare

The worm has DoS (Denial of Service) capabilities, it can initiate TCP-SYN flood attacks to remote hosts.