Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

When executed, the trojan copies itself in the %system% folder using the following filename:


The following file is dropped in the same folder:


The following files are dropped into the %temp% folder:



A string with variable content is used instead of %variable%.

The variable %number% represents a randomly generated number in the range 0-9.

The libraries with the following names are injected into all running processes:


In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\SoftWare\Microsoft\ Windows\CurrentVersion\Run]
"mmva" = "%system%\mmvo.exe"


The following Registry entries are set:

"Hidden" = 2

"ShowSuperHidden" = 0

"CheckedValue" = 0

"NoDriveTypeAutoRun" = 91


The trojan copies itself into the root folders of fixed and/or removable drives using the following name:


The following file is dropped in the same folder:


Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Information stealing
The trojan gathers information related to the following processes:


The trojan is able to log keystrokes.

The trojan can send the information to a remote machine. The HTTP/HTTPS protocol is used.

Other information
The trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of URLs.

The trojan can download and execute a file from the Internet.

The file is then saved as %temp%\uu.exe and executed.

The trojan alters the behavior of some security related applications. It uses techniques common for rootkits.