Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The trojan tries to download several files from the Internet. The files are then executed.
Installation
When executed, the trojan copies itself into the following location:
  • %system%\wbem\grpconv.exe (51200 B)
The following files are deleted:
  • %system%\grpconv.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "RunGrpConv" = 1
The trojan creates and runs a new thread with its own program code within the following processes:
  • explorer.exe
Other information
The trojan contains a list of (1) URLs. It tries to download several files from the addresses. The HTTP protocol is used.

These are stored in the following locations:
  • %temp%\wpv%variable%.exe
A string with variable content is used instead of %variable% .

The files are then executed.

The trojan may create and run a new thread with its own program code within any running process.

The trojan creates the following files:
  • %appdata%\wiaserva.log
The trojan creates copies of the following files (source, destination):
  • %system%\ntdll.dll, %temp%\~TM%variable%.tmp
  • %system%\kernel32.dll, %temp%\~TM%variable%.tmp
A string with variable content is used instead of %variable% .

The trojan launches the following processes:
  • svchost.exe