Technical Information
To ensure autorun and distribution:
Substitutes the following executable system files:
- <SYSTEM32>\spoolsv.exe with <SYSTEM32>\spoolsv.exe
Malicious functions:
Executes the following:
- <SYSTEM32>\cacls.exe <SYSTEM32>\wanpacket.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <DRIVERS>\acpidisk.sys /e /p everyone:f
- <SYSTEM32>\cacls.exe %ALLUSERSPROFILE%\ЎёїЄКјЎ№ІЛµҐ\іМРт\Жф¶Ї /e /p everyone:f
- <SYSTEM32>\net1.exe start server
- <SYSTEM32>\sc.exe delete spooler
- <SYSTEM32>\cacls.exe <SYSTEM32>\pthreadVC.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\packet.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\wpcap.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\npptools.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <DRIVERS>\npf.sys /e /p everyone:f
Terminates or attempts to terminate
the following user processes:
- AVP.EXE
Modifies file system :
Creates the following files:
- <SYSTEM32>\dllcache\spoolsv.exe
- %WINDIR%\Fonts\beeps.fon
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Deletes the following files:
- %WINDIR%\Fonts\beeps.fon
Moves the following system files:
- from <SYSTEM32>\spoolsv.exe to C:\s.MS