New Virus Attack : (MS Word Icon) SVCHOST SPOOLSV

Discovered a new virus that resides in c:\Recycled

• CTFMON.exe
• SMSS.exe
• SPOOLSV.exe
• SVCHOST.exe

The icon of these files are EXCTLY like Microsoft Windows MS Word type

• Icon : MS Word
• Type of File: Application
• Description: Microsoft Office Word
• Size : 55.0 KB (56,320 bytes)
• Size on disk: 56.0 KB (57,344 bytes)
• File version : 11.0.5604.0
• Copyright : Copyright © 1983-2003 Microsoft Corporation. All rights reserved.
• Language : Language Neutral
• etc

It adds to the startup at

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
• Explorer.exe “C:\recycled\SVCHOST.exe”

If you try to end task one of the process, the other processes make such changes in your system registry that u’ll be never again able to login to ur windows account. : ( [observed by me at some cases, still got to work out] The comp logs off as soon as you click on your account.

• coz of changes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Discovered

• Place : rvce, bangalore
• Dated : April 2, 2008
• was present much earlier than this date

I’ll work on this soon, didn’t find any occurrence from anywhere else on my blog yet.
Kaspersky do not detect this virus yet, as on 15 april 2008.

======
taken from : http://piyushlabs.wordpress.com/2008/04/15/new-virus-attack-ms-word-icon-svchost-spoolsv/
======