I’ve been following the MarioF worm family for some time now. Until recently, it had a unique method of running itself when the computer boots. The worm made a subtle patch to user32.dll. It is easy to miss that patch unless you know exactly what to look for. Incidentally, we detect the patched files as Troj/User32Hk-A.
Perhaps this method has become too recognizable and the authors have decided to take a different approach to starting up. It has recently become parasitic.
It now writes its own code into Windows OS files such as explorer.exe and ctfmon.exe. When the computer boots, these files are run automatically. The infected files decrypt a MarioF library and run it before passing control back to the host. All this is typical virus behavior.
Only in the world of malware does a worm evolve into a virus.