A rather industrious worm has been detected by Trend Micro threat analysts, and it usually infects users who have been careless enough to click on a link offered in a variety of unsolicited emails.
The emails use various approaches. Sometimes it’s a “Document I told you about”. Other times it’s a “Free download of a sex movie” or a job application letter. In any case, the presented link points to the worm.
When executed, the worm does a whole bunch of things:
- Terminates the running AV solution, and attempts to delete it
- Creates registries that deactivate security alerts and secure desktop prompting
- Tries to access users’ Yahoo! Messenger files (possibly trying to harvest Yahoo! Messenger IDs to send copies of itself)
- Avails itself of the Messaging Application Protocol Interface to send out emails with a copy of itself (but can also spread itself via removable drives)
- Connects to several malicious websites
- Forces the sharing of some System folders as Updates
- Downloads a backdoor.
The interesting thing is that Trend Micro has detected the packed version of this same worm a while back, so they speculate that the criminals behind this version have managed to get their hands on the original code and adjusted it to their needs.