Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When an infected file is executed, the virus drops the host in a temporary file and runs it. The virus copies itself in the following location:
In order to be executed on every system start, the virus sets the following Registry entry:%windir%\drivers\spoclsv.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svcshare" = "%windir%\drivers\spoclsv.exe"
The following Registry entry is set:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0
The following Registry entries are deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
Spreading
The virus copies itself in root folders of removable drives using the following filename:
The following file is created in the same folders:setup.exe
This causes the virus to be executed when an infected media is inserted.autorun.inf
Executable files infection
The virus searches local and network drives for executables with one of the following extensions:
Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:COM
EXE
PIF
SCR
Several other criteria are applied when choosing a file to infect. The virus file is prepended to host executables. The original host executable can be reconstructed when an infected file is run.Common Files
ComPlus Applications
Documents and Settings
InstallShield Installation Information
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
MSN
MSN Gamin Zone
NetMeeting
Outlook Express
Recycled
System Volume Information
system32
WINDOWS
Windows Media Player
Windows NT
WindowsUpdate
WINNT
Other information
The virus searches local and network drives for files with one of the following extensions:
A single line is appended to such files. This causes a certain URL to be opened when a file is viewed in a browser.ASP
ASPX
HTM
HTML
JSP
PHP
When searching the drives, the virus creates the following file in every folder visited:
Desktop_.ini
The following services are disabled:
AVP
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
KPfwSvc
KVSrvXP
KVWSC
McAfeeFramework
McShield
McTaskManager
MskService
navapsvc
NPFMntor
RsCCenter
RsRavMon
sharedaccess
schedule
SNDSrvc
SPBBCSvc
Symantec
wscsvc
The virus tries to download and execute several files from the Internet.
