Technical
This worm propagates by creating copies of itself on local disks and write-accessible network resources. It is a Windows PE EXE file. It is 46592 bytes in size. It is packed using UPX. The unpacked file is approximately 107MB in size.
Installation
The worm copies its executable file to the Windows system directory:
%System%\<rnd1>[<rnd2>].exe, with <rnd1> and <rnd2> being random numbers
In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file in the system registry:
[HKLM\software\Microsoft\Windows\CurrentVersion\Run]
"Rising" = "<path>"
The worm extracts a rootkit library from its body and saves it to the Windows temporary directory:
%Temp%\Bug2.tmp - this file is 12800 bytes in size. It will be detected by Kaspersky Anti-Virus as Worm.Win32.AutoRun.ll;
This files masks the worm process in the system.
Propagation
The worm copies its executable file to the root of each drive as follows:
<X>:\<rnd1>[<rnd2>].exe, with <rnd1> and <rnd2> being random numbers and X being the drive
In addition to its executable file, the worm also places the file shown below in the root directory of every disk:
<x>:\autorun.inf
This file will launch the worm's executable file each time the user opens the infected disk using Explorer.
Process
The worm modifies the following system registry key parameter to make it impossible to write to it:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0
The worm contains a Trojan component designed to steal account data for the online game Perfect World. The program searches the system for a process called "elementclient.exe". If it finds this process, it searches the directory for the following file:
userdata\currentserver.ini
It then harvests the following parameter values:
CurrentGroup
Server
CurrentServer
CurrentServerAddress
It also reads the "elementclient.exe" process memory and harvests the following variables:
* User name
* Password
* Sum of virtual money
Harvested data is sent in an HTTP request to the following servers:
***uxian.com.cn
***ulin2.cn
***2i.com.cn
Removal
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Use Task Manager to terminate the malicious program’s process.
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rising" = "<path>"
4. Delete the copy of the worm from all removable disks:
<X>\<rnd1>[<rnd2>].exe
<X> stands for the letter of the removable disk.
5. Empty the temporary directory (%Temp%).
6. Update your antivirus databases and perform a full scan of the computer
____________________
The more you lose yourself in something bigger than yourself, the more energy you will have!! 
