Aliases
W32/Bizex.worm, Worm.Win32.Bizex

Type
Win32 worm

Description
W32/Bizex-A is a worm which propagates over ICQ.
The worm appears as an ICQ message prompting the user to visit a website hosted on www.jokeworld.com. The web page downloads a file to the user's computer as startup.wav and runs the file.
Startup.wav contains a script which creates the file WinUpdate.exe in the startup folder. When Windows is next started WinUpdate.exe attempts to download a file named updater.exe to the Windows temp folder as aptgetupd.exe. Aptgetupd.exe is the main component of W32/Bizex-A. The worm copies itself to the sysmon subfolder of the Windows system folder as a file named sysmon.exe and adds the following registry entry to ensure that the worm is run each time Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysmon


Read more: http://www.sophos.com/virusinfo/analyses/w32bizexa.html