Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the virus copies itself in the %windir% folder using the following filename:

rundl132.exe

The following files are dropped in the same folder:

Dll.dll
Logo1_.exe

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%windir%\rundl132.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW]
"auto" = "1"

 

Spreading

The virus searches for executables on local drives. Only files with the following names are infected:

ACDSee4.exe
ACDSee5.exe
ACDSee6.exe
AgzNew.exe
Archlord.exe
AutoUpdate.exe
autoupdate.exe
BNUpdate.exe
Datang.exe
editplus.exe
EXCEL.EXE
flashget.exe
foxmail.exe
FSOnline.exe
GameClient.exe
install.exe
jxonline_t.exe
launcher.exe
lineage.exe
LineageII.exe
MHAutoPatch.exe
Mir.exe
msnmsgr.exe
msnmsgr.exe
Mu.exe
my.exe
NATEON.exe
NSStarter.exe
Patcher.exe
patchupdate.exe
QQ.exe
Ragnarok.exe
realplay.exe
run.exe
setup.exe
Silkroad.exe
Thunder.exe
ThunderShell.exe
TTPlayer.exe
Uedit32.exe
Winrar.exe
WINWORD.EXE
woool.exe
zfs.exe

If a folder name matches one of the following strings, files inside it are not infected:

Windows NT
Program Files
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
system
system32
winnt
windows
Recycled
Documents and Settings
System Volume Information

When searching a folder a hidden file is created in it. Its name is the following:

_desktop.ini

The virus also searches for executables in shared folders of remote machines. Filenames are not checked, any executable can be infected.
The virus file is prepended to host executables. When an infected file is executed, the virus drops the host in a temporary file and executes it.

 

Other information

The following programs are terminated:

EGHOST.EXE
IPARMOR.EXE
KAVPFW.EXE
MAILMON.EXE
mcshield.exe
RavMon.exe
Ravmond.EXE
regsvc.exe

The virus contains a list of URLs. It tries to download several files from the addresses. The files are then executed.