The 25th morning, one of my diagnosticians called me to inform me a strange behavior on several networks.

The behavior is on each network computer:

- Local DNS down : mean that computers cannot go anymore to the internet because their DNS is 127.0.0.1

- IPCONFIG : shows errors and doesn't accept any arguments

- NSLOOKUP : also fails.

- No scheduled tasks created usually by the worm

- No rootkit

- Some plug&play drivers are loaded with NT_AUTHORITY and processes dependencies are showed.

- The network computers could goes to the net with dns name of sites, but could go with true IP Addresses.

If we try to stop or delete or just copy, the worm reacts by a blue screen or reboot

So, we decided to make some audits of these computers to check their behaviors. To be more sure concerning the results that we will get, we ask to 3 differents companies do let us to make researches and behavior analysis.

We decided to take a familly as following:

- 1 WIN2008

- 1 XPSP3

- 1 XPSP2

- 1 WIN2003

All of these computers OS's are with latest MS patches including the MS09-01