Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the worm copies itself into the:
folder with the following file names:
%system%
explorer.exe
link.exe
The following files are dropped into the %windir% folder:
information.jpg (123563 B)
information.scr (337920 B)
In order to be executed on every system start, the worm sets the following Registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe "%system%\link.exe""
The following Registry entries are set:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Showall]
"CheckedValue" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0
[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper" = "%windir%\information.jpg"
Spreading
The worm creates copies of itself in folders accesed by the following application:
The name of the file may be based on the name of an existing file or folder. The extension of the file is ".exe".
explorer.exe
Spreading on removable media
The worm creates the following folders:
The following file is dropped in the same folder:
%drive%\RECYCLER\
The worm creates the following file:
autorune.exe (766464 B)
%drive%\autorun.inf
Other information
The worm attempts to delete the following file:
%system%\soundmix.exe
The worm may set the following Registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
"(Default)" = ""%1" %*"
The worm may delete the following Registry entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%system%\soundmix.exe"
The worm launches the following processes:
explorer.exe
The worm alters the behavior of the following processes:
Windows Task Manager
