Technical Information
To ensure autorun and distribution:
Infects the following executable system files:
- <DRIVERS>\beep.sys
Substitutes the following executable system files:
- <SYSTEM32>\spoolsv.exe with <SYSTEM32>\spoolsv.exe
Malicious functions:
Executes the following:
- <SYSTEM32>\sc.exe delete spooler
- <SYSTEM32>\cacls.exe %ALLUSERSPROFILE%\ЎёїЄКјЎ№ІЛµҐ\іМРт\Жф¶Ї /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\wanpacket.dll /e /p everyone:f
- <SYSTEM32>\net1.exe stop spooler
- <SYSTEM32>\net1.exe start server
- <SYSTEM32>\net.exe stop spooler
- <SYSTEM32>\cacls.exe <SYSTEM32>\wpcap.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\pthreadVC.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\packet.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <DRIVERS>\acpidisk.sys /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\npptools.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <DRIVERS>\npf.sys /e /p everyone:f
Terminates or attempts to terminate
the following user processes:
- AVP.EXE
Modifies file system :
Creates the following files:
- <SYSTEM32>\dllcache\spoolsv.exe
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Moves the following system files:
- from <SYSTEM32>\spoolsv.exe to C:\t.sa