Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan copies itself in the %system% folder using the following filename:

mmvo.exe

The following file is dropped in the same folder:

mmvo%number%.dll

The following files are dropped into the %temp% folder:

uveyg.dll

%variable%.sys


A string with variable content is used instead of %variable%.

The variable %number% represents a randomly generated number in the range 0-9.



The libraries with the following names are injected into all running processes:

%system%\mmvo%number%.dll



In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\SoftWare\Microsoft\ Windows\CurrentVersion\Run]
"mmva" = "%system%\mmvo.exe"

 

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 91

 


Spreading
The trojan copies itself into the root folders of fixed and/or removable drives using the following name:

uevr.cmd

The following file is dropped in the same folder:

autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.


Information stealing
The trojan gathers information related to the following processes:

Ragexe.exe
lin.bin
YPagerj.exe
YahooWidgetEngine.exe
pol.exe

The trojan is able to log keystrokes.

The trojan can send the information to a remote machine. The HTTP/HTTPS protocol is used.


Other information
The trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of URLs.

The trojan can download and execute a file from the Internet.

The file is then saved as %temp%\uu.exe and executed.

The trojan alters the behavior of some security related applications. It uses techniques common for rootkits.