Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

The following file is dropped in the %windir% folder:

vcmgcd32.dll

The library is loaded and injected in all processes.

The following Registry entry is set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = 0

 

The following file is modified:

%windir%\system.ini

Executable files infection

The virus infects files referenced by the following Registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

This causes the virus to be executed on every system start.

The virus searches local and network drives for executables with one of the following extensions:

.EXE
.SCR

The virus also searches for executables in shared folders of remote machines. Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

AHEAD
SYSTEM

Several other criteria are applied when choosing a file to infect. Files are infected by adding a new section that contains the virus. Size of the code inserted is 20480 B.

Other information

The virus deletes files with the following extensions:

.avc
.vdb

The virus deletes executable files, that contain one of the following strings in the name:

ALER
ANDA
ANTI
AVP
BIDEF
CLEAN
GUAR
KAV
NOD
OUTP
SCAN
TREN
TROJ
ZONE

The following programs are terminated:

ANTI
ATGUARD
AUTOTRACE
AVGSERV
AVLTMAIN
AVP
AVPROTECT
AVSYNMGR
AVXQUAR
BIDEF
BIDSERVER
BIPCP
BLACKICE
CLEANER
DRWATSON
DRWEB
DRWTSN32
ESCANH
ICSSUPPNT
ICSUPP
KAV
LOCKDOWN
MCAGENT
MCUPDATE
MGUI
NAV
NMAIN
NOD32
NPFMESSENGER
NPROTECT
NUPGRADE
OUTPOST
PERISCOPE
PINGSCAN
PORTDETECTIVE
PROTECTX
RTVSCAN
SAVSCAN
TRJSCAN
VSMAIN
ZONEALARM

The virus tries to download and execute several files from the Internet.