Win32/Botvoice.A | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation
When executed, the trojan drops in folder

%appdata%\Microsoft\Speech\Files\UserLexicons\

the following file:

SP_%variable%.dat (940 B)

The %variable% stands for a random number.

The following Registry entries are set:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\comfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\piffile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\batfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\vbsfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\jsfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\htmlfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\htmfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\mp3file\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\jpgfile\shell\open\command] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CLASSES_ROOT\service\CLSID] "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::" [HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon] "(Default)" = "Current User Lexicon" "CLSID" = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}" "FlushRate" = 10 [HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files] "Datafile" = "%1a%\Microsoft\Speech\Files\UserLexicons\SP_%variable%.dat" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools" = 1 "DisableTaskMgr" = 1

The modified Registry entries will prevent specific files from being opened.

Other information
The following programs are terminated:

explorer.exe msnmsgr.exe

The trojan may delete files stored in the following folders:

C:\ %windir% %windir%\ServicePackFiles\i386\ %windir%\$NtServicePackUninstall$\ %My Video% %My Pictures% %My Music% %Personal% %Desktop%

The trojan may display a dialog box with the title:

Bea TkMmMmMmM

The dialog box contains the following text:

I ProMise ... I Will Love YoU AlWayS BEa!

The trojan uses Microsoft Speech technology. It may play the following text in a spoken voice:

You has been infected I repeat You has been infected and your system files has been deletes. Sorry Have a Nice Day and bye bye

The trojan blocks keyboard and mouse input.