AutoPlay Worm | Joachim De Zutter
Internet Explorer traces partially detectable via AVG ( http://free.avg.com/ ) :

%HOMEDRIVE%%HOMEPATH%\AppData\Roaming\taskeng.exe Trojan horse Generic14.ABGL
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\###.exe Trojan horse Generic14.ABGL
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\###.exe Virus Klone
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp\###.exe Worm/Delf.IYS
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\...\1[1].exe Virus Klone
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\...\load1[1].exe Worm/Delf.IYS
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\...\secure[1].exe Generic14.ABGL
%HOMEDRIVE%%HOMEPATH%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\...\stealer_stel1[1].exe Downloader.Generic9.QVF
C:\RECYCLER\S-1-5-21-4019214784-7615574522-740576117-2600\rundll32.exe Virus Klone

The worm spreads via USB flash drives:

$ md5sum *
49b7c44d7fcbecd8f86df66ef2d6681d *autorun.inf (Worm/AutoRun)
e320af8a6635b387876c4a7b473eb1cd *autorun.exe (Worm/Generic.ACI)
46afa15cf73fe226d54f7359c456c999 *usbhelper.exe (Klone)

autorun.inf launches usbhelper.exe

usbhelper.exe appears to be programmed in Delphi and uses the registry key:
[HKLM\Software\HHC]
"Username"=...
The binary contains the following strings:
"telajete54","jogihebi88","mecikohe12",dedehiha11","gehoyiyo85",
"pejiyada54","takavimi64","yexesera42","debivabo81","pelehosa83",
"yawiweba14","cobiraso76","pifovibe56","kakocige",...

autorun.exe appears to be programmed in Microsoft Visual C, was packed with UPX version 12 and the header was modified to make analysis more difficult.
(compression method: NRV2B_LE32, compression level: 7, uncompressed size: 189658 bytes, compressed size: 103676 bytes, original file size: 192512 bytes)
The unpacked binary contains the following strings: "61.128.197.212","FileSpy","SpyDll","dk407814",...

http://www.utrace.de/?query=61.128.197.212
Provider: Data Communication Division
Organisation: CHINANET Chongqing province network
Region: Chongqing (CN)


http://www.krcert.or.kr/statReportNewDownload.do?userFilename=1004-statistics.PDF

AutoPlay worms explained by Symantec researcher: