3. Right-click it and select Properties. In the new window you will see a textbox called Path to executable ( e.q. C:\Windows\system32\urdxvc.exe ).

4. Press the Stop button in order to stop the malicious service.

5. Now open Windows Explorer ( Start > All Programs > Accessories ), locate the infected file and delete it.

6. Run a full scan with BullGuard.

SYMPTOMS

1. Increased network traffic.

2. Presence of a service called Network Windows Service.

3. When you open local .html pages, if you have Internet Explorer 7.0 you receive a notification that says "Internet

Explorer has restricted this webpage from running scripts or ActiveX controls".

DESCRIPTION

1. The worm uses a polymorphic encryption in order to make detection harder. There are several decryption layers

that are used in order to get access to the code of the worm.

2. The worm will copy itself in the Windows system directory.

3. It will create a process from the copied file and it will instruct it to create a service in order to run when

the computer starts.

4. The service will create serveral threads that will do the following:

- Look for .htm and .html files. When one is found, it will search for the < HTML > tag

and will add a reference to its CLSID right after it.

- Try to get access to computers from the LAN by various techniques, including a dictionary attack that

uses a predefined lists of passwords.

- It does a Denial Of Service Attack on 3 websites located in Estonia (www.starman.ee, online.if.ee, www.if.ee).

Author:
The BullGuard Team