Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the worm copies itself in the %windir% folder using the following name:

trayicons.exe

The following file is dropped in the same folder:

windisk.dll (33792 B)

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
"(Default)" = ""%windir%\trayicons.exe" exec "%1" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command]
"(Default)" = ""%windir%\trayicons.exe" exec "%1" /S"

 

The following Registry entries are created:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SYSTEM]
"DisableTaskMgr" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SYSTEM]
"DisableRegistryTools" = 1

[HKEY_CURRENT_USER\Software\Microsoft\DiskCheck]

 

The worm loads and injects the windisk.dll library into the following processes:

explorer.exe


Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.adb

.asp

.dbx

.htm

.php

.pl

.sht

.tbb

.txt

.wab


The worm uses the addresses found in Windows Address Book, too.

Addresses containing the following strings are avoided:

.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spam
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your


Strings from the following (2) lists may be used to form the sender address:

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom


aol.com
hotmail.com
msn.com
yahoo.com


Subject of the message is one of the following:

Error

hello

hi

Mail Delivery System

Mail Transaction Failed

Server Report

Status

test


Body of the message is one of the following:

Mail transaction failed. Partial message is available.


test


The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.


The message contains Unicode characters and has been sent as a binary attachment.

The attachment is an executable of the worm. The name of the attached file is following:

doc

text

file

data

test

body

message

hello

readme

document

A double extension is used. The first is one of the following:

.bat

.cmd

.doc

.exe

.htm

.pif

.scr

.txt

.zip

The second is one of the following:

.exe

.pif

.scr


Spreading via P2P networks
The worm searches for shared folders of the following programs:

Kazaa


The executables of the are copied there using the following filenames:

activation_crack

icq2004-final

nuke2004

office_crack

rootkitXP

strip-girl-2.0bdcom_patches

winamp5


The filename has one of the following extensions:

bat

exe

pif

scr


Other information
The worm may create copies of itself using the following filenames:

%windir%\Temp\checkmem.exe

%temp%\checkdisk.exe

diskscan.exe

%windir%\Temp\iotemp.dll

%temp%\iotemp.dll

iometer.dll


The worm can download and execute a file from the Internet. The worm contains a list of (6) URLs. It can send various information about the infected computer.