Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan drops in folder

%appdata%\Microsoft\Speech\Files\UserLexicons\

the following file:

SP_%variable%.dat (940 B)

The %variable% stands for a random number.

The following Registry entries are set:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\piffile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\vbsfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\jsfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\htmfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\mp3file\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\jpgfile\shell\open\command]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CLASSES_ROOT\service\CLSID]
"(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"

[HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon]
"(Default)" = "Current User Lexicon"
"CLSID" = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"
"FlushRate" = 10

[HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files]
"Datafile" = "%1a%\Microsoft\Speech\Files\UserLexicons\SP_%variable%.dat"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = 1
"DisableTaskMgr" = 1

The modified Registry entries will prevent specific files from being opened.

 

Other information
The following programs are terminated:

explorer.exe

msnmsgr.exe


The trojan may delete files stored in the following folders:

C:\

%windir%

%windir%\ServicePackFiles\i386\

%windir%\$NtServicePackUninstall$\

%My Video%

%My Pictures%

%My Music%

%Personal%

%Desktop%


The trojan may display a dialog box with the title:

Bea TkMmMmMmM

The dialog box contains the following text:

I ProMise ... I Will Love YoU AlWayS BEa!


The trojan uses Microsoft Speech technology. It may play the following text in a spoken voice:

You has been infected I repeat You has been infected and your system files has been deletes. Sorry Have a Nice Day and bye bye


The trojan blocks keyboard and mouse input.