Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WindowsLogin' = 'C:\AUTOEXECx.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\Sys.exe
Malicious functions:
Creates and executes the following:
- C:\AUTOEXECx.exe
Terminates or attempts to terminate
the following user processes:
- outpost.exe
- AVP.EXE
Modifies file system :
Creates the following files:
- C:\AUTOEXECx.exe
- C:\autorun.inf
- C:\Sys.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Full path to virus>
- C:\AUTOEXECx.exe
- C:\Sys.exe
- C:\autorun.inf
- <Drive name for removable media>:\Sys.exe
Deletes the following files:
- <Drive name for removable media>:\Sys.exe
- <Drive name for removable media>:\autorun.inf
- C:\Sys.exe
- C:\autorun.inf
Network activity:
Connects to:
- 'di#####vers.fileave.com':80
- 'wp#d':80
TCP:
HTTP GET requests:
- di#####vers.fileave.com/bejn666.txt
- wp#d/wpad.dat
UDP:
- DNS ASK di#####vers.fileave.com
- DNS ASK wp#d