Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %WINDIR%\explorer.exe
- %WINDIR%\Tasks\explorer.ext
- <Full path to virus>
Substitutes the following executable system files:
- %WINDIR%\explorer.exe with %WINDIR%\Tasks\explorer.ext
Malicious functions:
Creates and executes the following:
- <SYSTEM32>\vip.txt
- <SYSTEM32>\vip.txt (downloaded from the Internet)
Terminates or attempts to terminate
the following user processes:
- AVP.EXE
Modifies file system :
Creates the following files:
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\fifo.log
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\rp.log
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\RestorePointSize
- \Device\zzz\zzz2\WINDOWS\explorer.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vip[1].txt
- <SYSTEM32>\vip.txt
- C:\zzz.sys
Deletes the following files:
- C:\zzz.sys
Network activity:
Connects to:
- 'www.wo##down.cn':80
TCP:
HTTP GET requests:
- www.wo##down.cn/vip.txt
UDP:
- DNS ASK www.wo##down.cn