Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When an infected file is executed, the virus drops the host in a temporary file and runs it. The virus copies itself in the following location:

%windir%\drivers\spoclsv.exe

In order to be executed on every system start, the virus sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svcshare" = "%windir%\drivers\spoclsv.exe"

 

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

 

The following Registry entries are deleted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse

 

Spreading

The virus copies itself in root folders of removable drives using the following filename:

setup.exe

The following file is created in the same folders:

autorun.inf

This causes the virus to be executed when an infected media is inserted.

Executable files infection

The virus searches local and network drives for executables with one of the following extensions:

COM
EXE
PIF
SCR

Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

Common Files
ComPlus Applications
Documents and Settings
InstallShield Installation Information
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
MSN
MSN Gamin Zone
NetMeeting
Outlook Express
Recycled
System Volume Information
system32
WINDOWS
Windows Media Player
Windows NT
WindowsUpdate
WINNT

Several other criteria are applied when choosing a file to infect. The virus file is prepended to host executables. The original host executable can be reconstructed when an infected file is run.

Other information

The virus searches local and network drives for files with one of the following extensions:

ASP
ASPX
HTM
HTML
JSP
PHP

A single line is appended to such files. This causes a certain URL to be opened when a file is viewed in a browser.
When searching the drives, the virus creates the following file in every folder visited:

Desktop_.ini


The following services are disabled:

AVP
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
KPfwSvc
KVSrvXP
KVWSC
McAfeeFramework
McShield
McTaskManager
MskService
navapsvc
NPFMntor
RsCCenter
RsRavMon
sharedaccess
schedule
SNDSrvc
SPBBCSvc
Symantec
wscsvc


The virus tries to download and execute several files from the Internet.