Selected viruses, spyware, and other threats: sorted alphabetically
When executed, the virus drops the following file in the %windir% folder:
Size of the file is 46592 B. The library is loaded and injected in the following process:
The following file is dropped in the %system%\drivers folder:
Size of the file is 17152 B.
The following Registry entries are set:
"DisplayName" = "NVIDIA Compatible Windows Miniport Driver"
"ImagePath" = "%system%\drivers\nvmini.sys"
"NextInstance" = 1
"Service" = "nvmini"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"DeviceDesc" = "nvmini"
"Capabilities" = 0
"DeviceReference" = -2121667312
"ActiveService" = "nvmini"
Executable files infection
The virus searches for executables on local drives. Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:
Files with following names are not infected:
Several other criteria are applied when choosing a file to infect. Executables are infected by appending the code of the virus to the last section. Size of the code inserted is 38912 B.
Spreading via shared folders
The virus tries to copy itself in shared folders of machines on a local network. The following filename is used:
The file is then remotely executed. The virus contains a list of passwords that are tried when accessing remote machines.
Spreading on removable media
The virus copies itself in root folders of removable drives using the following filename:
The following file is created in the same folders:
This causes the virus to be executed when an infected media is inserted.
The following programs are terminated:
The virus can send various information to a remote machine over the Internet.