Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

The worm connects to the following URLs to obtain IP address of the compromised computer:

* http://www.getmyip.org
* http://getmyip.co.uk
* http://checkip.dyndns.org

Full writeup:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
====

My worry here, it creates that netsvcs service, but that's legit, so killing the service to (try) and stop the worm will more than likely kill the machine along with it.