Selected viruses, spyware, and other threats: sorted alphabetically
When executed, the worm copies itself in the %programfiles%\Microsoft Common\ folder using the following filename:
The following Registry entries are created:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger" = "%programfiles%\Microsoft Common\wuauclt.exe"
This causes the worm to be executed on every application start.
The worm creates and runs a new thread with its own program code within the following processes:
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
The following file is dropped in the same folder:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
The worm contains a list of (2) URLs. It tries to download several files from the addresses. The HTTP protocol is used. The files are then executed.
The worm creates the following files:
%temp%\%variable%.tmp (6656 B)
The worm may set the following Registry entries:
"Userinit" = "%system%\userinit.exe,%variable1%"
"%variable2%" = "%variable3%"
"%variable4%" = "%variable5%:*:Enabled:%variable6%"
A string with variable content is used instead of %variable(1-6)%.