Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the worm copies itself in the %programfiles%\Microsoft Common\ folder using the following filename:

wuauclt.exe

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger" = "%programfiles%\Microsoft Common\wuauclt.exe"

 

This causes the worm to be executed on every application start.

The worm creates and runs a new thread with its own program code within the following processes:

%system%\svchost.exe

%windir%\explorer.exe


Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

system.exe

The following file is dropped in the same folder:

autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


Other information

The worm contains a list of (2) URLs. It tries to download several files from the addresses. The HTTP protocol is used. The files are then executed.

The worm creates the following files:

%temp%\%variable%.tmp (6656 B)


The worm may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%system%\userinit.exe,%variable1%"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%variable2%" = "%variable3%"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%variable4%" = "%variable5%:*:Enabled:%variable6%"

 

A string with variable content is used instead of %variable(1-6)%.