Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] 'Debugger' = ' '
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Virus name>' = '<Full path to virus>'
Creates the following files on removable media:
- <Drive name for removable media>:\Autorun.inf
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- file extensions
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoViewContextMenu' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Internet Explorer\Main] 'Window Title' = ' This computer has been hacked'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <SYSTEM32>\Autorun.inf
- <Current directory>\Autorun.inf
- C:\Autorun.inf
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''