Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the worm copies itself in the %programfiles%\Microsoft Common\ folder
using the following filename:
The following Registry entries are created:
wuauclt.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger" = "%programfiles%\Microsoft Common\wuauclt.exe"
This causes the worm to be executed on every application start.
The worm creates and runs a new thread with its own program code within the following processes:
%system%\svchost.exe
%windir%\explorer.exe
Spreading on removable media
The worm copies itself into the root folders of removable drives
using the following name:
The following file is dropped in the same folder:
system.exe
Thus, the worm ensures it is started each time infected media is inserted into the computer.
autorun.inf
Other information
The worm contains a list of (2) URLs.
It tries to download several files from the addresses.
The HTTP protocol is used.
The files are then executed.
The worm creates the following files:
%temp%\%variable%.tmp (6656 B)
The worm may set the following Registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%system%\userinit.exe,%variable1%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%variable2%" = "%variable3%"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%variable4%" = "%variable5%:*:Enabled:%variable6%"
A string with variable content is used instead of %variable(1-6)%.
