The worm spreads by sending direct messages using the privileges of the already logged in user. The message looks like an image file, whereas in reality it has an executable .scr screensaver extension.
Upon execution, the sample drops a ZeuS crimeware variant on the infected host. The malware is hosted on compromised web servers across the globe.
The sample -- very limited detection rate -- is currently detected as Win32.HLLW.Autoruner.52856 and Heure: Trojan.Win32.Generic.