>>1
What do you want to know about it?
Seeing your post I downloaded a sample of this worm, and took a 5 minute look at it, first glance shows that it's made of 2 layers, the first layer does the decryption of an UPX packed executable which has its header erased to confuse novice reverse engineers, the loader layer is obfuscated by splitting the code into chunks and shuffling them at random then interconnecting by jumps. It contains anti-debugging code and other useless crap. The real worm code which is located after the decryption(loader)/decompression(upx) seems to contain a driver which does something to tcpip.sys in the memory, probably used to circumvent tools like netstat and other firewalls. The code of the main worm seems to have options for upnp discovery and some code for installing itself as a service. There's also a list of badwords containing online antivirus/security sites, probably used to block them. Another list contains mysqpace/msn/ebay/cnn/aol and 23.org/ask.com/yahoo.com/google.com/baidu.com and others. There is also a list of commong used passwords. There is also code which seems to be used to disable security center and other services. This is all I can tell you from a 5 minute glance, for more information, I would have to spend some 20 minutes rebuilding the original executable that contained the worm before it was "prepared for distribution".