Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

When executed, the worm copies itself in the %programfiles%\Microsoft Common\ folder using the following filename:


The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger" = "%programfiles%\Microsoft Common\wuauclt.exe"


This causes the worm to be executed on every application start.

The worm creates and runs a new thread with its own program code within the following processes:



Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:


The following file is dropped in the same folder:


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm contains a list of (2) URLs. It tries to download several files from the addresses. The HTTP protocol is used. The files are then executed.

The worm creates the following files:

%temp%\%variable%.tmp (6656 B)

The worm may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%system%\userinit.exe,%variable1%"

"%variable2%" = "%variable3%"

"%variable4%" = "%variable5%:*:Enabled:%variable6%"


A string with variable content is used instead of %variable(1-6)%.