Symptoms

Removal instructions:

Analyzed By

Technical Description:

This worm have a folder icon and perform the following action upon execution:
- make a copy of itself inside %windir% folder, as “SCVHOST.exe”
- make a copy of itself inside %windir%\system32 folder, as “SCVHOST.exe”
- register itself at startup in many places, by adding the registry values:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : “Yahoo Messsenger” -> “c:\Windows\System32\SCVHOST.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell  -> “SCVHOST.exe”.
- disables the task manager, registry tools and folder options by settings next registry keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
"DisableTaskMgr" ->"1";
"DisableRegistryTools" ->"1";
 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:
"NofolderOptions" ->"1";
- creates a schedule, using windows AT command schedule, for runnig “%windir%\System32\SCVHOST.exe”(a copy of malware)  every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by setting the key HKLM\SYSTEM\CurrentControlSet\Services\Schedule:
"AtTaskMaxHours"->"0".  
- disables Internet Explorer to start in offline mode by setting the registry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:
 "GlobalUserOffline"-> "0"
- creates the following registry entry so that its copy is shared HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares: "shared"->"\New folder.exe".  If it finds any shared drivers, it copy itself on the under name “New folder.exe.”

- it spread itself via shared drives, removable drives and yahoo messenger.