IM Virus part 2

Symantec responded to my virus submission, reporting that they are calling it spybot.worm. And the virus defs are in the latest rapid release defs. The response took long enough that I think it wasn’t an autoreply. If its the autoreply, I know its not something new. I tried the rapid release defs on my own computer and then set xdbdown to download rapid release defs.
I also downloaded the file ( and ran it on a vmware machine. Of course good viruses know when they are in a virtual environment and dont do everything. I also didn’t set up a fake network connection, so I dont know what network downloads it may have tried. I’m tempted to try that, but I dont want to hose my real computer.
It did a lot of registry lookups. The main thing is that it created is c:\winnt\system32\express.exe and starting that with HKCU run and HKLM run/runservice. That file is also detected by the rapid release defs. The file is set as a hidden and system file so you may need to go into dos and run attrib -h -s express.exe (in the system32 directory).
The rapid release virus definitions I am using from Symantec is 10/26/2005 rev25