Date Discovered: 2/13/2004
Date Added: 2/15/2004
Origin: Unknown
Length: 12,800
Type: Virus
SubType: Internet Worm
Virus Characteristics
This is a repackaged version of the .b variant. It functions the same as the .b variant.
This threat is proactively detected as Exploit-DcomRpc.gen with the 4.2.60 scan engine, or higher, and the 4290 DAT files, or higher, when scanning compressed executables, default option.
This virus exploits the MS03-026 / MS03-039 vulnerability (DCOM RPC), the MS03-007 vulnerability (NTDLL via WebDav), and the MS03-049 vulnerability (Workstation service).
Installation
To ensure only one instance of the worm on the victim machine, a mutex of the following name is created:
WksPatch_Mutex
The virus installs itself within a DRIVERS directory in the Windows System directory:
C:\WINNT\SYSTEM32\DRIVERS\SVCHOST.EXE (12,800 bytes)
Please Note: There is a perfectly legitimate system file with filename SVCHOST.EXE in the WINDOWS SYSTEM directory with the same filesize.
The following service is installed:
WksPatch Set to run the installed copy of the worm (SVCHOST.EXE)
Display name varies as it's constructed from the following strings. The virus chooses one string from each coloumn (such as "License Procedure Messaging")
Read more: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101025

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic