This is an Internet-worm spreading via e-mail, sending infected messages from infected computers.
While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The worm also installs itself into the system.
It creates its copies in the Windows system directory with the following names:
WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, COMMAND.EXE
and registers in the Windows auto-run section in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe
Depending on the system date and time, the worm:
- switches on/off NumLock, CapLock and ScrollLock keys
- sends to keyboard buffer different messages.
The worm also corrupts and/or affects other files.
It scans subdirectory trees on all available drives, lists all files there and depending on filename extension, performs one of the deffirent actions.
Use antivirus (also check How To Remove section)Startup Optimizer to automatically remove it from startup.