This detection is for a worm. It attempts to spread by creating an autorun.inf file, which will run the worm automatically on systems which use the drives that are set to Autorun.

When run, the worm copies itself to the %Windir%\system32 folder and hides itself there. In addition it drops its autorun.inf file in the same location.

The worm tries to connect the following URLs:

• lemox.myhome.cx
• zkarmy.dip.jp

It makes the following changes to the registry. Notably, it changes registry values to start itself when Windows restarts.

Keys added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty

Values modified:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "csrcs". Data: C:\WINDOWS\system32\csrcs.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell". Data: Explorer.exe csrcs.exe