Virus Profile: W32/Checkout!91d0b88a

This worm spreads via MSN Messenger. When installed it sends the following message to contact list recipients and send a zip file named img1756.zip.
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:

* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)

(Where %WINDIR% is the Windows folder; e.g. C:\Windows)

It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.

* Security Center
* winvnc4

Adds the following values to the registry:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"