Selected viruses, spyware, and other threats: sorted alphabetically
When executed, the backdoor copies itself in the %system% folder using the following filename:
The file is executed as a thread in the folowing process:
In order to be executed on every system start, the backdoor sets the following Registry entry:
".nvsvc" = "%system%\smss.exe /w"
The following Registry entries are set:
"Start" = "4"
"%system%\smss.exe" = "%system%\smss.exe:*:Enabled:Microsoft Update"
This disables the Automatic Updates service. By adding an exception in Windows Firewall settings, the backdoor ensures that it is not blocked.
The backdoor connects to the IRC network. It can be controlled remotely. The backdoor can download a file from the Internet. The file is then executed.
The program disables various security related applications.