Here is something about it:
Details:
Installation and Autostart Technique
Upon execution, this worm decrypts its codes and then copies itself in the Windows directory as SPEEDY.PIF. It then transfers execution to the dropped file and deletes the executed file.
(Note: The Windows directory is usually C:\Windows or C:\WINNT.)
In order for its dropped copy to execute at Windows startup, it adds the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Spees3 = %Windows%\SPEEDY.PIF
(Note: %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.)
Then, it spawns SPEEDY.PIF and registers this file as a service so that it does not appear on the Windows Taskbar. It also creates a mutex identifying itself as SpeedyDoS3 to ensure that only one copy of itself is active in memory.
Network Propagation
This worm propagates via network-shared C drives. It looks for machines that have shared drives granting full access. It repeatedly scans for machines connected to the network.
It uses the Share-Level Password vulnerability on Windows systems to propagate via network shared C drives. The vulnerability allows remote access to a Windows 95/98 or ME shared file without knowledge of the entire password assigned to that share.
For more information on this vulnerability and to get hold of the critical patches, visit the following Microsoft page:
Microsoft Bulletin MS00-072
When it finds an accesible drive, it copies itself as the file SPEEDY.PIF in the Windows directory of the remote drive. Then, it copies the remote WIN.INI to the local file C:\TOMA!!!.
It adds either of the following lines to the [windows] section of TOMA!!!:
run = C:\%Windows%\SPEEDY.PIF
It copies the contents of PUT.INI to the WIN.INI file. The change allows BRASIL.PIF or BRASIL.EXE to execute during Windows startup on the remote machine.
Other Details
This UPX-compressed malware connects to the site
www.sp<blocked>dy.com.br to automatically update itself. At the time of this writing, the site is down and inaccessible.
It drops the files PODRE!! and BANDA! in the C:\ folder. It uses these files in its information exchange with the Web site.
Its decrypted code contains the following text strings:
Queremos melheros servicos da SPEEDY
You can read about it here. You will also find it's solution there itself.