The worm renames “Internet Explorer” to “Internet Exploiter” and it also fakes the content of the Startup folder. When a user with an infected machine checks out the Startup folder from the Start menu, he or she will see that it is “(Empty)”. However, by going to the properties of the startup folder, the properties window would show that it is not true. The folder shortcut actually points to an executable file, KHATRA.exe.

Source: Sophos