Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\Paint.lnk
Infects the following executable system files:
- <SYSTEM32>\dllcache\regedit.exe.new
- <SYSTEM32>\dllcache\notepad.exe.new
- <SYSTEM32>\dllcache\hh.exe.new
Substitutes the following executable system files:
- %WINDIR%\TASKMAN.EXE with %WINDIR%\TASKMAN.EXE
- %WINDIR%\sleep.exe with %WINDIR%\sleep.exe
- %WINDIR%\twunk_32.exe with %WINDIR%\twunk_32.exe
- %WINDIR%\TASKMAN.EXE with %WINDIR%\taskman.exe.new
- %WINDIR%\NOTEPAD.EXE with %WINDIR%\NOTEPAD.EXE
- %WINDIR%\hh.exe with %WINDIR%\hh.exe
- %WINDIR%\sfk.exe with %WINDIR%\sfk.exe
- %WINDIR%\regedit.exe with %WINDIR%\regedit.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\dllcache\notepad.exe.new
- <SYSTEM32>\dllcache\regedit.exe.new
- <SYSTEM32>\dllcache\hh.exe.new
- %WINDIR%\notepad.exe.new
- %WINDIR%\regedit.exe.new
- %WINDIR%\vtwunk_16.ico
- %WINDIR%\vtwunk_32.ico
- %WINDIR%\RCX7.tmp
- %WINDIR%\twunk_16.exe.new
- %WINDIR%\RCX6.tmp
- %WINDIR%\taskman.exe.new
- %WINDIR%\hh.exe.new
- C:\Far2\RCX1.tmp
- <Auxiliary element>
- C:\Far2\vFar.ico
- %APPDATA%\Paint.exe
- C:\Far2\Far.exe
- %WINDIR%\vhh.ico
- %WINDIR%\vregedit.ico
- %WINDIR%\RCX5.tmp
- %WINDIR%\RCX4.tmp
- %WINDIR%\RCX3.tmp
- %WINDIR%\vNOTEPAD.ico
Sets the 'hidden' attribute to the following files:
- %APPDATA%\Paint.exe
Deletes the following files:
- %WINDIR%\vNOTEPAD.ico
- %WINDIR%\vregedit.ico
- %WINDIR%\vtwunk_16.ico
- %WINDIR%\vhh.ico
- C:\Far2\Far.exe
- C:\Far2\vFar.ico
- <Auxiliary element>
Moves the following system files:
- from %WINDIR%\TASKMAN.EXE to %WINDIR%\vTASKMAN.EXE
- from %WINDIR%\sleep.exe to %WINDIR%\vsleep.exe
- from %WINDIR%\twunk_32.exe to %WINDIR%\vtwunk_32.exe
- from %WINDIR%\twunk_16.exe to %WINDIR%\vtwunk_16.exe
- from %WINDIR%\NOTEPAD.EXE to %WINDIR%\vNOTEPAD.EXE
- from %WINDIR%\hh.exe to %WINDIR%\vhh.exe
- from %WINDIR%\sfk.exe to %WINDIR%\vsfk.exe
- from %WINDIR%\regedit.exe to %WINDIR%\vregedit.exe