Technical Information
To ensure autorun and distribution
Changes the following executable system files
- <SYSTEM32>\magnify.exe
- <SYSTEM32>\spider.exe
- <SYSTEM32>\sol.exe
- <SYSTEM32>\winmine.exe
- <SYSTEM32>\mshearts.exe
- <SYSTEM32>\freecell.exe
- <SYSTEM32>\odbcad32.exe
- <SYSTEM32>\restore\rstrui.exe
- <SYSTEM32>\usmt\migwiz.exe
- <SYSTEM32>\cleanmgr.exe
- <SYSTEM32>\charmap.exe
- <SYSTEM32>\ntbackup.exe
- <SYSTEM32>\mstsc.exe
- <SYSTEM32>\control.exe
- <SYSTEM32>\mspaint.exe
- <SYSTEM32>\sndrec32.exe
- <SYSTEM32>\rundll32.exe
- <SYSTEM32>\calc.exe
- <SYSTEM32>\accwiz.exe
- <SYSTEM32>\rcimlby.exe
- <SYSTEM32>\tourstart.exe
- <SYSTEM32>\mobsync.exe
- <SYSTEM32>\notepad.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\utilman.exe
- <SYSTEM32>\osk.exe
- <SYSTEM32>\narrator.exe
- <SYSTEM32>\sndvol32.exe
- <SYSTEM32>\wupdmgr.exe
Infects the following executable files
- <SYSTEM32>\magnify.exe
- <SYSTEM32>\restore\rstrui.exe
- %ProgramFiles%\windows nt\accessories\wordpad.exe
- %ProgramFiles%\adobe\acrobat.com\acrobat.com.exe
- <SYSTEM32>\odbcad32.exe
- <SYSTEM32>\freecell.exe
- <SYSTEM32>\mshearts.exe
- %ProgramFiles%\msn gaming zone\windows\bckgzm.exe
- %ProgramFiles%\msn gaming zone\windows\chkrzm.exe
- <SYSTEM32>\rcimlby.exe
- %ProgramFiles%\msn gaming zone\windows\hrtzzm.exe
- %ProgramFiles%\msn gaming zone\windows\shvlzm.exe
- <SYSTEM32>\winmine.exe
- %ProgramFiles%\windows nt\pinball\pinball.exe
- <SYSTEM32>\sol.exe
- <SYSTEM32>\spider.exe
- %CommonProgramFiles%\microsoft shared\help\dexplore.exe
- %ProgramFiles%\msn\msncorefiles\install\msnsusii.exe
- %ProgramFiles%\movie maker\moviemk.exe
- <SYSTEM32>\usmt\migwiz.exe
- %CommonProgramFiles%\microsoft shared\msinfo\msinfo32.exe
- <SYSTEM32>\cleanmgr.exe
- <SYSTEM32>\charmap.exe
- <SYSTEM32>\ntbackup.exe
- <SYSTEM32>\osk.exe
- <SYSTEM32>\utilman.exe
- %ProgramFiles%\outlook express\wab.exe
- <SYSTEM32>\cmd.exe
- %ProgramFiles%\windows media player\wmplayer.exe
- <SYSTEM32>\notepad.exe
- <SYSTEM32>\mobsync.exe
- <SYSTEM32>\tourstart.exe
- <SYSTEM32>\control.exe
- %ProgramFiles%\msn gaming zone\windows\rvsezm.exe
- %ProgramFiles%\outlook express\msimn.exe
- <SYSTEM32>\accwiz.exe
- <SYSTEM32>\calc.exe
- %ProgramFiles%\windows nt\hypertrm.exe
- <SYSTEM32>\rundll32.exe
- <SYSTEM32>\sndrec32.exe
- <SYSTEM32>\sndvol32.exe
- <SYSTEM32>\mspaint.exe
- <SYSTEM32>\mstsc.exe
- <SYSTEM32>\narrator.exe
- <Drive name for removable media>:\winmine.exe
- <SYSTEM32>\wupdmgr.exe
Creates the following files on removable media
- <Drive name for removable media>:\winmine.ivr
Malicious functions
Modifies settings of Windows Internet Explorer
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '2103' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1609' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2103' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1609' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2103' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2103' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '2103' = '00000000'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1609' = '00000000'
Modifies file system
Creates the following files
- <SYSTEM32>\magnify.ivr
- <SYSTEM32>\restore\rstrui.ivr
- %ProgramFiles%\windows nt\accessories\wordpad.ivr
- %ProgramFiles%\adobe\acrobat.com\acrobat.com.ivr
- <SYSTEM32>\odbcad32.ivr
- <SYSTEM32>\freecell.ivr
- <SYSTEM32>\mshearts.ivr
- %ProgramFiles%\msn gaming zone\windows\bckgzm.ivr
- %ProgramFiles%\msn gaming zone\windows\chkrzm.ivr
- <SYSTEM32>\rcimlby.ivr
- %ProgramFiles%\msn gaming zone\windows\hrtzzm.ivr
- %ProgramFiles%\msn gaming zone\windows\shvlzm.ivr
- <SYSTEM32>\winmine.ivr
- %ProgramFiles%\windows nt\pinball\pinball.ivr
- <SYSTEM32>\sol.ivr
- <SYSTEM32>\spider.ivr
- %CommonProgramFiles%\microsoft shared\help\dexplore.ivr
- %ProgramFiles%\msn\msncorefiles\install\msnsusii.ivr
- %ProgramFiles%\movie maker\moviemk.ivr
- <SYSTEM32>\usmt\migwiz.ivr
- %CommonProgramFiles%\microsoft shared\msinfo\msinfo32.ivr
- <SYSTEM32>\cleanmgr.ivr
- <SYSTEM32>\charmap.ivr
- <SYSTEM32>\ntbackup.ivr
- <SYSTEM32>\osk.ivr
- <SYSTEM32>\utilman.ivr
- %ProgramFiles%\outlook express\wab.ivr
- <SYSTEM32>\cmd.ivr
- %ProgramFiles%\windows media player\wmplayer.ivr
- <SYSTEM32>\notepad.ivr
- <SYSTEM32>\mobsync.ivr
- <SYSTEM32>\tourstart.ivr
- <SYSTEM32>\control.ivr
- %ProgramFiles%\msn gaming zone\windows\rvsezm.ivr
- %ProgramFiles%\outlook express\msimn.ivr
- <SYSTEM32>\accwiz.ivr
- <SYSTEM32>\calc.ivr
- %ProgramFiles%\windows nt\hypertrm.ivr
- <SYSTEM32>\rundll32.ivr
- <SYSTEM32>\sndrec32.ivr
- <SYSTEM32>\sndvol32.ivr
- <SYSTEM32>\mspaint.ivr
- <SYSTEM32>\mstsc.ivr
- <SYSTEM32>\narrator.ivr
- <LS_APPDATA>\wsr10zt32.dll
- <SYSTEM32>\wupdmgr.ivr
Deletes the following files
- <SYSTEM32>\magnify.ivr
- <SYSTEM32>\restore\rstrui.ivr
- %ProgramFiles%\windows nt\accessories\wordpad.ivr
- %ProgramFiles%\adobe\acrobat.com\acrobat.com.ivr
- <SYSTEM32>\odbcad32.ivr
- <SYSTEM32>\freecell.ivr
- <SYSTEM32>\mshearts.ivr
- %ProgramFiles%\msn gaming zone\windows\bckgzm.ivr
- %ProgramFiles%\msn gaming zone\windows\chkrzm.ivr
- <SYSTEM32>\rcimlby.ivr
- %ProgramFiles%\msn gaming zone\windows\hrtzzm.ivr
- %ProgramFiles%\msn gaming zone\windows\shvlzm.ivr
- <SYSTEM32>\winmine.ivr
- %ProgramFiles%\windows nt\pinball\pinball.ivr
- <SYSTEM32>\sol.ivr
- <SYSTEM32>\spider.ivr
- %CommonProgramFiles%\microsoft shared\help\dexplore.ivr
- %ProgramFiles%\msn\msncorefiles\install\msnsusii.ivr
- %ProgramFiles%\movie maker\moviemk.ivr
- <SYSTEM32>\usmt\migwiz.ivr
- %CommonProgramFiles%\microsoft shared\msinfo\msinfo32.ivr
- <SYSTEM32>\cleanmgr.ivr
- <SYSTEM32>\charmap.ivr
- <SYSTEM32>\ntbackup.ivr
- <SYSTEM32>\osk.ivr
- <SYSTEM32>\utilman.ivr
- %ProgramFiles%\outlook express\wab.ivr
- <SYSTEM32>\cmd.ivr
- %ProgramFiles%\windows media player\wmplayer.ivr
- <SYSTEM32>\notepad.ivr
- <SYSTEM32>\mobsync.ivr
- <SYSTEM32>\tourstart.ivr
- <SYSTEM32>\control.ivr
- %ProgramFiles%\msn gaming zone\windows\rvsezm.ivr
- %ProgramFiles%\outlook express\msimn.ivr
- <SYSTEM32>\accwiz.ivr
- <SYSTEM32>\calc.ivr
- %ProgramFiles%\windows nt\hypertrm.ivr
- <SYSTEM32>\rundll32.ivr
- <SYSTEM32>\sndrec32.ivr
- <SYSTEM32>\sndvol32.ivr
- <SYSTEM32>\mspaint.ivr
- <SYSTEM32>\mstsc.ivr
- <SYSTEM32>\narrator.ivr
- <Drive name for removable media>:\winmine.ivr
- <SYSTEM32>\wupdmgr.ivr
Miscellaneous
Searches for the following windows
- ClassName: 'TabWindowClass' WindowName: ''
- ClassName: 'msctls_statusbar32' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\msswchx.exe' SWCH' (with hidden window)
Executes the following
- '<SYSTEM32>\msswchx.exe' SWCH