A rather industrious worm has been detected by Trend Micro threat analysts, and it usually infects users who have been careless enough to click on a link offered in a variety of unsolicited emails.

The emails use various approaches. Sometimes it’s a “Document I told you about”. Other times it’s a “Free download of a sex movie” or a job application letter. In any case, the presented link points to the worm.

When executed, the worm does a whole bunch of things:

Terminates the running AV solution, and attempts to delete it

Creates registries that deactivate security alerts and secure desktop prompting

Tries to access users’ Yahoo! Messenger files (possibly trying to harvest Yahoo! Messenger IDs to send copies of itself)

Avails itself of the Messaging Application Protocol Interface to send out emails with a copy of itself (but can also spread itself via removable drives)

Connects to several malicious websites

Forces the sharing of some System folders as Updates

Downloads a backdoor.

The interesting thing is that Trend Micro has detected the packed version of this same worm a while back, so they speculate that the criminals behind this version have managed to get their hands on the original code and adjusted it to their needs.