6/27: SQLCop.Worm Spreads Over Removable Media
W32/SqlCop.worm is a worm with keylogging capabilities.
(Where X: is the drive letter of the removable media)
Upon execution, the worm copies itself to the following files:
C:\Documents and settings\All users\Application Data\copy.exe (first part of the worm)
C:\Documents and settings\All users\Application Data\sqlserv.exe (second part of the worm containing keylogging capabilities)
C:\Documents and settings\All users\Application Data\Autorun.inf
Then it adds the following registry key.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sqlserv" = "C:\Documents and settings\All users\Application Data\sqlserv.exe"
And the monitored keytrokes are stored in the following location if it exists:
C:\Documents and settings\Guest\Templates\
More information can be found at this McAfee page.