Symptoms

Removal instructions:

Analyzed By

Technical Description:

     When executed the worm will inject its code into explorer.exe and thus every worm's action will appear as being executed by Windows Explorer.
The injected code will then perform the following actions:
    
     - create a hidden copy of the worm under:
            c:\RECYCLER\[random_recycler_folder]\nissan.exe
( An example of : S-1-5-21-9844392106-7672706631-221574024-0507 )

     - modify the registry by adding the following key:
            HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
            Name: Taskman
            Value: c:\RECYCLER\[random_recycler_folder]\nissan.exe
            This will execute the worm after every system reboot.

      - create a hidden file named desktop.ini in the same folder as nissan.exe which has the following contents:               
              [.ShellClassInfo]
              CLSID={645FF040-5081-101B-9F08-00AA002F954E}
              By making this modification, the folder containing nissan.exe will have the icon of RecycleBin, not the FolderIcon. Also, when opening this folder using Windows Explorer it will show the contents of RecycleBin and not the two files: nissan.exe and desktop.ini

Spreading methods:

     - via removable drives by creating a copy of itself under ZALJUBIT\dousiju.exe on every removable drive used and an autorun.inf file pointing to this copy          
     - via MSNMessenger
     - via P2P Shares as: BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire
        
     In order to avoid AV detection it comes encrypted, it stops emulation and it won't run if VMWare, Sandboxie or a debugger is detected.
     In has Microsoft Word version info and GIF file icon in order to mislead the user to execute it or if seen in TaskManager or ProcessExplorer.