Just tried urs shadow and mc afee says
VIRUS DETAILS
Overview -
This detection is for a worm that attempts to copy itself to the Windows system folder. Additionally it attempts to place an autorun.inf file in the same location to automatically restart itself.
Characteristics
Characteristics -
This detection is for a worm. It attempts to spread by creating an autorun.inf file, which will run the worm automatically on systems which use the drives that are set to Autorun.
When run, the worm copies itself to the %Windir%\system32 folder and hides itself there. In addition it drops its autorun.inf file in the same location.
The worm tries to connect the following URLs:
* lemox.myhome.cx
* zkarmy.dip.jp
It makes the following changes to the registry. Notably, it changes registry values to start itself when Windows restarts.
Keys added:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty
Values modified:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced "ShowSuperHidden"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run "csrcs". Data: C:\WINDOWS\system32\csrcs.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell". Data: Explorer.exe csrcs.exe
Symptoms
Symptoms -
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Method of Infection
Method of Infection -
This worm may be spread by its intented method of infected removable drives or network shares.
Alternatively this may be installed by visiting a malicious web page either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A