Selected viruses, spyware, and other threats: sorted alphabetically
When an infected file is executed, the virus drops the host in a temporary file and runs it. The virus copies itself in the following location:
In order to be executed on every system start, the virus sets the following Registry entry:
"svcshare" = "%windir%\drivers\spoclsv.exe"
The following Registry entry is set:
"CheckedValue" = 0
The following Registry entries are deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
The virus copies itself in root folders of removable drives using the following filename:
The following file is created in the same folders:
This causes the virus to be executed when an infected media is inserted.
Executable files infection
The virus searches local and network drives for executables with one of the following extensions:
Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:
Several other criteria are applied when choosing a file to infect. The virus file is prepended to host executables. The original host executable can be reconstructed when an infected file is run.
Documents and Settings
InstallShield Installation Information
MSN Gamin Zone
System Volume Information
Windows Media Player
The virus searches local and network drives for files with one of the following extensions:
A single line is appended to such files. This causes a certain URL to be opened when a file is viewed in a browser.
When searching the drives, the virus creates the following file in every folder visited:
The following services are disabled:
The virus tries to download and execute several files from the Internet.