Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

The following file is dropped in the %system% folder:

ole16.dll

Size of the file is 17920 B. In order to be executed on every system start, the virus sets the following Registry entries:

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
default = "ole16.dll"
"ThreadingModel" = "both"

 

If that fails, the following entries are set instead:

[HKEY_CURRENT_USER\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
default = "ole16.dll"
"ThreadingModel" = "both"

 

Executable files infection

The virus searches for executables on local drives. Infection is attempted only if an executable is not in a folder that contains one of the following strings in its name:

documents and
music
program files
win
_restore

Several other criteria are applied when choosing a file to infect. The virus overwrites code in the first section of the host. The original code is compressed in a CAB archive and appended to the file. The original host executable can be reconstructed when an infected file is run. Another CAB archive containing the DLL library is appended as well.

Information stealing

The virus collects various information when a certain application is being used. The data is saved in the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Licences

 

The virus can send the information to a remote machine. The HTTP protocol is used.