windrv32.exe

Full Version of this article can be found here

windrv32.exe

What is it?
windrv32.exe is a file associated with the W32.Mydoom.T@mm mass mailing worm

What does it do?
W32.Mydoom.T@mm is a mass-mailing worm that downloads a copy of Backdoor.Nemog.B.
Once W32.Mydoom.T@mm is executed, it performs the following actions:

Creates the following copies of itself:
- %System%windrv32.exe
- %Userprofile%Start MenuProgramsStartupautostart.exe
  
  Notes:
- %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
- %Userprofile% is a variable that refers to the current user's profile folder. By default, this is C:Documents and Settings<Current User> (Windows NT/2000/XP).
Downloads, saves, and executes a temporary file from one of the following domains:
- www.llc.unibo.it
- www.surrenderzeeland.nl
- www.mercyships.de
- www.hiw.kuleuven.ac.be
- www.ach.ch
- vugs.geog.uu.nl
- www.planetboredom.net
- guttorm.hveem.no
  
  Note: The file available for download is currently a copy of Backdoor.Nemog.B.
Adds the value:

"WinSPF" = "%System%windrv32.exe"

to the following registry keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

so that it is executed every time Windows starts.

More info and Removal
@symantec