Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the virus drops the following file in the %windir% folder:

linkinfo.dll

Size of the file is 46592 B. The library is loaded and injected in the following process:

explorer.exe

The following file is dropped in the %system%\drivers folder:

nvmini.sys

Size of the file is 17152 B.

The following Registry entries are set:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvmini]
"DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
"ImagePath" = "%system%\drivers\nvmini.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVMINI]
"NextInstance" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVMINI\0000]
"Service" = "nvmini"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"DeviceDesc" = "nvmini"
"Capabilities" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVMINI\0000\Control]
"DeviceReference" = -2121667312
"ActiveService" = "nvmini"

 

Executable files infection

The virus searches for executables on local drives. Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

LOCAL SETTINGS\TEMP\
\QQ
\WINNT\
\WINDOWS\

Files with following names are not infected:

/0xB4/0xF3/0xBB/0xB0/0xCE/0xF7/0xD3/0xCE/.exe
asktao.exe
au_unins_web.exe
audition.exe
autoupdate.exe
ca.exe
cabal.exe
cabalmain.exe
cabalmain9x.exe
config.exe
dbfsupdate.exe
dk2.exe
dragonraja.exe
flyff.exe
game.exe
gc.exe
hs.exe
kartrider.exe
main.exe
maplestory.exe
meteor.exe
mhclient-connect.exe
mjonline.exe
mts.exe
nbt-dragonraja2006.exe
neuz.exe
nmcosrv.exe
nmservice.exe
nsstarter.exe
patcher.exe
patchupdate.exe
sealspeed.exe
trojankiller.exe
userpic.exe
wb-service.exe
woool.exe
wooolcfg.exe
xlqy2.exe
xy2.exe
xy2player.exe
zfs.exe
zhengtu.exe
ztconfig.exe
zuonline.exe

Several other criteria are applied when choosing a file to infect. Executables are infected by appending the code of the virus to the last section. Size of the code inserted is 38912 B.

 

Spreading via shared folders

The virus tries to copy itself in shared folders of machines on a local network. The following filename is used:

setup.exe

The file is then remotely executed. The virus contains a list of passwords that are tried when accessing remote machines.

 

Spreading on removable media

The virus copies itself in root folders of removable drives using the following filename:

boot.exe

The following file is created in the same folders:

autorun.inf

This causes the virus to be executed when an infected media is inserted.

 

Other information

The following programs are terminated:

c0nime.exe
cmdbcs.exe
ctmontv.exe
explorer.exe
fuckjacks.exe
iexpl0re.exe
iexplore.exe
internat.exe
logo_1.exe
logo1_.exe
lsass.exe
lying.exe
msdccrt.exe
msvce32.exe
ncscv32.exe
nvscv32.exe
realschd.exe
rpcs.exe
run1132.exe
rundl132.exe
smss.exe
spo0lsv.exe
spoclsv.exe
ssopure.exe
svhost32.exe
svch0st.exe
sxs.exe
sysbmw.exe
sysload3.exe
tempicon.exe
upxdnd.exe
wdfmgr32.exe
wsvbs.exe

The virus can send various information to a remote machine over the Internet.