Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
- <Drive name for removable media>:\vir\winlogon.exe
- <Drive name for removable media>:\autorun.infautorun.infautorun.infautorun.infautorun.infautorun.inf
- <Drive name for removable media>:\autorun.infautorun.infautorun.infautorun.inf
- <Drive name for removable media>:\vir\desktop.ini
Malicious functions:
Executes the following:
- '<SYSTEM32>\wscript.exe' "%TEMP%\Temporal34.vbs"
Modifies file system :
Creates the following files:
- C:\vir\winlogon.exe
- %TEMP%\Temporal34.txt
- C:\autorun.infautorun.inf
- C:\vir\desktop.ini
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\vir\winlogon.exe
- <Drive name for removable media>:\vir\desktop.ini
- <Full path to virus>
- <Drive name for removable media>:\autorun.infautorun.infautorun.infautorun.infautorun.infautorun.inf
- C:\vir\desktop.ini
- C:\autorun.infautorun.inf
- <Drive name for removable media>:\autorun.infautorun.infautorun.infautorun.inf
- C:\vir\winlogon.exe
Moves the following files:
- from %TEMP%\Temporal34.txt to %TEMP%\Temporal34.vbs
Network activity:
Connects to:
- 'localhost':1037
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: '' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'