Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed the worm copies itself in the following locations:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\msosv.exe

C:\Program Files\Common Files\Microsoft Shared\Web Folders\msosvext.exe

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hello World]
"Type" = 16
"Start" = 2
"ErrorControl" = 1
"ImagePath" = "C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE"
"DisplayName" = "lÖÓnÍrͨN¶?­Né"
"ObjectName" = "LocalSystem"

 

Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:

game.exe

The following file is dropped in the same folder:

autorun.inf

Executable files infection
The worm searches local and network drives for files with one of the following extensions:

.exe

The worm infects the files by inserting its code at the beginning of the original program. When an infected file is executed, the original program is being dropped into a temporary file and run. The name of the temporary file is:

Run_TempA.exe

It avoids files with the following filenames:

xyqplayer.exe
XY1Update.exe
XY1Patch.exe
gpatch.exe
WowError.exe
BackgroundDownloader.exe
Repair.exe
WoW.exe
soul.exe
AutoPatch.exe
Client.exe
elementclient.exe
uninstall.exe
ztconfig.exe
patchupdate.exe
VMPFULL_TENCENT.EXE
uninst000.exe
Timwp.exe
TIMPlatform.exe
QQLIVEUPDATE.EXE
QQPLAYERSVR.EXE
MAGICFLASH.EXE
ShowIP.exe
QQ3DAVPLAYER.EXE
QZONESUPPORT.EXE
SUN.exe
Sungame.exe
WzVoiceClient.exe
AutoUpdate.exe
DBFSupdate.exe
Play.exe

Other information
The worm may create copies of the following files (source, destination):

%system%\notepad.exe, %windir%\svchost.exe

The worm launches the following processes:

iexplore.exe

%windir%\svchost.exe

The worm creates and runs a new thread with its own code within these running processes.


The worm modifies the following file:

%system%\drivers\etc\hosts

The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:

127.0.0.1 localhost
127.0.0.1 mmm.caifu18.net
127.0.0.1 www.18dmm.com
127.0.0.1 d.qbbd.com
127.0.0.1 www.5117music.com
127.0.0.1 www.union123.com
127.0.0.1 www.wu7x.cn
127.0.0.1 www.54699.com
127.0.0.1 www1.6tan.com
127.0.0.1 www2.6tan.com
127.0.0.1 www.97725.com
127.0.0.1 down.97725.com
127.0.0.1 ip.315hack.com
127.0.0.1 ip.54liumang.com
127.0.0.1 www.41ip.com
127.0.0.1 xulao.com
127.0.0.1 www.heixiou.com
127.0.0.1 www.9cyy.com
127.0.0.1 www.hunll.com
127.0.0.1 www.down.hunll.com
127.0.0.1 do.77276.com
127.0.0.1 www.baidulink.com
127.0.0.1 adnx.yygou.cn
127.0.0.1 222.73.220.45
127.0.0.1 www.f5game.com
127.0.0.1 www.guazhan.cn
127.0.0.1 wm,103715.com
127.0.0.1 www.my6688.cn
127.0.0.1 i.96981.com
127.0.0.1 d.77276.com
127.0.0.1 www1.cw988.cn
127.0.0.1 cool.47555.com
127.0.0.1 www.asdwc.com
127.0.0.1 55880.cn
127.0.0.1 61.152.169.234
127.0.0.1 cc.wzxqy.com
127.0.0.1 www.54699.com
127.0.0.1 t.gcuj.com
127.0.0.1 www.puma163.com
127.0.0.1 ceoww.com
127.0.0.1 boolom.com
127.0.0.1 adult-novel.cn
127.0.0.1 ll.chinasese.net
127.0.0.1 www.tellumore.com
127.0.0.1 www.o1wg.com
127.0.0.1 www.qq756.com
127.0.0.1 ll.chinasese.net
127.0.0.1 cool.47555.com

The worm tries to download and execute several files from the Internet. These are stored in the following locations:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\shift.ini

%windir%\error.ini

C:\Program Files\Common Files\Microsoft Shared\Web Folders\package.tmp

C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV_TMP.EXE

C:\Program Files\Common Files\Microsoft Shared\Web Folders\SVCHOST.EXE

C:\Program Files\Common Files\Microsoft Shared\Web Folders\Temp%variable%.exe

A string with variable content is used instead of %variable%.