Fantibag.B/Email-Worm.Win32.Bagle.bs

Summary

Fantibag.B is a trojan that installs a packet filter for preventing of downloading AV companies database updates and security patches. It is related to recent Bagle/Mitglieder trojans.

 Detailed Description

System installation

When the trojan's file is executed, it copies itself in Windows directory with the name 'firewall_anti.exe'. It installs the following registry key for ensuring it will be executed at system startup: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"firewall_anti" = "%WinDir%\firewall_anti.exe"

The trojan drops a DLL 'firewall_anti.dll' in the Windows direcory and injects this file in address space of Internet Explorer.

Packet filtering

When the dropped DLL is activated, it modifies the network interface with Microsoft RAS packet filtering API. It adds a filter that blocks access to following AV companies and other security related sites: 

 ftpav.ca.com
www.pandasoftware.com
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com
antivir.de
www.antivir.de
216.200.68.152
212.113.20.69
63.210.193.12
84.53.142.22
84.53.142.6
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net
Source: http://www.f-secure.com/v-descs/fantibag_b.shtml

MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?

What is the MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?

The MSBLAST.A worm infects machines via network connections. It can attack entire of computers or one single computer connected to the Internet. The worm exploits a known windows that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and machines and exploits the DCOM RPC Vulnerablity. Depending on the system date it will start a Denial of Service attack against windowsupdate.com, this makes it difficult to download the needed patches and allow the worm to infect as many machines as it can before being disabled. However, as of August 15th, Microsoft decided to kill the windowsupdate.com to lessen the impact from this denial of service attack. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of , changes to Control Panel, inability to use functions in browser, and many more oddities

Download the Windows patches for this vulnerability by clicking on the links below:
  • http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
  • http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
These Windows vulnerabilities are patched by using Windows Update to download all the critical updates for your system. However in some cases, people have reported getting an error 0x800A138F when trying to download updates. If you are receiving an error similar to this, read Marc Liron's excellent article about solving this at his updatexp.com website.

What is the DCOM Vulnerability?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

What are the Symptoms of the MSBLAST worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will read

"Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"



You can disable this shutdown by following the steps below during the countdown
  • Click on Start, Run
  • Type in CMD and press ENTER
  • Type in the following command and press Enter and than SHUTDOWN -A
This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does MSBLAST Infect My Computer?

  1. The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
  2. Adds the value:
     ”windows auto update" = MSBLAST.EXE (variant A)
    ”windows auto update" = PENIS32.EXE (variant B)
    ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
    "Nonton Antivirus=mspatch.exe" (variant E)
    "Windows Automation" = "mslaugh.exe" (variant F)
    "www.hidro.4t.com"="enbiei.exe" (variant G)

    to the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the worm runs when you start Windows.
  3. Calculates the IP address, based on the following algorithm, 40% of the time:
     Host IP: A.B.C.D
    sets D equal to 0.
    if C > 20, will subtract a random value less than 20.
    Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
    This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.
  4. Calculates the IP address, based on many random numbers, 60% of the time:
     A.B.C.D
    set D equal to 0.
    sets A, B, and C to random values between 0 and 255.
  5. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:
     Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

    NOTE:     Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.
  6. Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.
  7. Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.
  8. If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
     With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

    The worm contains the following text, which is never displayed:

    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!

    Windows 2000 Machines

    On Windows 2000 machines, I have seen the Control Panel icons switch to the left pane, functions like FIND in the browser stop working, and many other oddities.

How can remove MSBLAST Worm?

Follow these steps in removing the MSBLAST or MSBLASTER worm.
  1. Disconnect your computer from the local area network or Internet
  2. Terminate the running program
    • Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
    • Locate one of the following programs (depending on variation), click on it and End Task or End Process

      MSBLAST.EXE
      PENIS32.EXE
      TEEKIDS.EXE
      MSPATCH.EXE
      MSLAUGH.EXE
      ENBIEI.EXE

    • Close Task Manager
  3. Install the patches for the DCOM RPC Exploit, you can download the patches from the links below before disconnecting
    • http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
    • http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
    • http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
    • http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
    • http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe
    • http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629390b9/WindowsServer2003-KB823980-x86-ENU.exe
    • http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c50425/WindowsServer2003-KB823980-ia64-ENU.exe
    • If you receive a "cryptographic service" error when you try to apply the patch, please read the following excellent article on how to fix this error:
      http://www.updatexp.com/cryptographic-service.html
  4. Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
    • TCP Port 135, "DCOM RPC"
    • UDP Port 69, "TFTP"
  5. Remove the Registry entries
    • Click on Start, Run, Regedit
    • In the left panel go to
      HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
    • In the right panel, right-click and delete the following entry
      ”windows auto update" = MSBLAST.EXE (variant A)
      ”windows auto update" = PENIS32.EXE (variant B)
      ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
      "Nonton Antivirus"=MSPATCH.EXE (variant E)
      "Windows Automation" = "mslaugh.exe" (variant F)
      "www.hidro.4t.com"="enbiei.exe" (variant G)
    • Close the Registry Editor
  6. Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
    • Click Start, point to Find or Search, and then click Files or Folders.
    • Make sure that "Look in" is set to (C:\WINDOWS).
    • In the "Named" or "Search for..." box, type, or copy and paste, the file names:
      msblast*.* (or other filenames listed above)
    • Click Find Now or Search Now.
    • Delete the displayed files.
    • Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.
  7. Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
  8. Now check for the worm again, if it returns, complete these steps once more until the virus is gone. With the patch in place, the virus wont be able to exploit the system, but sometimes it is difficult to remove the files for good.
For Automatic Removal of MSBLAST, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the MSBLAST program from running, remove the items in the registry, and delete the infected files.

Source : http://www.pchell.com/virus/msblast.shtml

About Trojan Horse

History of Trojan Horse

The original trojan horse was built by Odysseus, the King of Ithica, during the legendary Trojan Wars. The Greeks were losing the siege of the city of Troy. Odysseus had a large wooden horse built and left as a "gift" outside the walls of the city of Troy. He then ordered the Greek army to sail away.

The Trojans believed the horse to be a peace offering from Odysseus. Instead, the horse was filled with Greek warriors, including Odysseus and Menelaus. As the Trojans slept, the Greek army sailed back to Troy and the soldiers hiding in the wooden horse snuck out and opened the gates of the city for them.

A Computer Trojan Horse

A computer trojan horse is a program which appears to be something good, but actually conceals something bad.

One way to spread a trojan horse is to hide it inside a distribution of normal software. In 2002, the sendmail and OpenSSH packages were both used to hide trojan horses. This was done by an attacker who broke into the distribution sites for these software packages and replaced the original distributions with his own packages.

A more common method of spreading a trojan horse is to send it via e-mail. The attacker will send the victim an e-mail with an attachment called something like "prettygirls.exe." When the victim opens the attachment to see the pretty girls, the trojan horse will infect his system.

A similar technique for spreading trojan horses is to send files to unsuspecting users over chat systems like IRC, AIM, ICQ, MSN, or Yahoo Messenger.


The Trojan Horse Virus

Unlike viruses, trojan horses do not normally spread themselves. Trojan horses must be spread by other mechanisms.

A trojan horse virus is a virus which spreads by fooling an unsuspecting user into executing it.

An example of a trojan horse virus would be a virus which required a user to open an e-mail attachment in Microsoft Outlook to activate. Once activated, the trojan horse virus would send copies of itself to people in the Microsoft Outlook address book.

The trojan horse virus infects like a trojan horse, but spreads like a virus.


Effects of a Trojan Horse

The victim running the trojan horse will usually give the attacker some degree of control over the victim's machine. This control may allow the attacker to remotely access the victim's machine, or to run commands with all of the victim's privileges.

The trojan horse could make the victim's machine part of a Distributed Denial of Service (DDoS) network, where the victims machine is used to attack other victims.

Alternatively, the trojan horse could just send data to the attacker. Data commonly targeted by trojan horses includes usernames and passwords, but a sophisticated trojan horse could also be programmed to look for items such as credit card numbers.


Protecting Against The Trojan Horse

Anti-virus programs detect known trojan horses. However, trojan horse programs are easier to create than viruses and many are created in small volumes. These trojan horse programs will not be detected by anti-virus software.

The best defense against a trojan horse is to never run a program that is sent to you. E-mail and chat systems are not safe methods of software distribution.


Spyware and Adware

Many people consider spyware and adware to be forms of a trojan horse.

Spyware programs perform a useful function, and also install a program that monitors usage of the victim's computer for the purpose of marketing to the user.

Adware programs are similiar to spyware programs, except the additional software they install shows advertising messages directly to the user.



Win32/Lightmoon.M

Description

Win32/Lightmoon.M is a worm that spreads via email and network shares. It makes trivial changes to its PE header as it replicates in order to evade detection methods such as MD5 matching.

Method Infection

When executed, the worm makes many copies of itself on the affected system and drops several additional component files. It creates the follwing copies:
  • %Windows%\lsass.exe
  • %Windows%\.exe (the worm creates 3 copies of itself with different filenames that follow this format)
  • %System%\\.cmd
  • %System%\>.exe
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.

It also creates the following files:
  • %Windows%\cypreg.dll
  • %Windows%\moonlight.dll
  • %System%\systear.dll - data file used to store the random filename.
A folder with Recycle Bin attributes is created to store more copies of the worm:
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.com
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip

The following registry modifications are made in order to ensure that the worm is executed:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD = ""%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.com""
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RUN\ = "%System%\<random 14 characters>.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, "%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.exe""
  • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell = "l.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RUN\ = "%Windows%\.exe"
The worm also creates a copy of itself in each subfolder under My Documents, using the same name as the subfolder it is created in, for example:
  • \Documents and Settings\My Documents\My Pictures\My Pictures.exe
  • \Documents and Settings\\My Documents\My Music\My Music.exe

The worm makes several additional registry modifications that are not critical to its replication:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = 1
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue = 0
  • HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig = 1
  • HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 1
  • HKCR\exefile\(Default) SUCCESS "File Folder"
  • HKCR\scrfile\(Default) SUCCESS "File Folder"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "%Windows%\notepad.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "%Windows%\notepad.exe"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 0

The worm uses the File Folder icon.

Copies of the worm, as many as 10, are inserted into ZIP files found in the infected system. The inserted filenames are selected from below:

  • RealPlayer13-5GOLD.exe
  • Icon Cool-Editor 3.4.30315.exe
  • CheatEngine52.exe
  • framework-4.4.exe
  • Vista Transformation Pack 4.0.exe
  • Pack_Vista_Inspirat_1.6.exe
  • DeepUnfreezerU1.6.exe
  • Pack_Longhorn_Inspirat_1.6_code32547.exe
  • TeamViewer_Setup.exe
  • License.exe

Method of Distribution

Via Email

The worm spreads via e-mail with a variable Subject and Message Body. The attachment also uses a variable filename and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system. The e-mail address of the infected user is also used.

E-mail sent by the worm have the following characteristics:

Possible Subjects:

  • miss Indonesian
  • Cek This
  • hello
  • Japannes Porn
  • xxx

Possible Message Bodies:

  • hey Indonesian porn
  • Agnes Monica pic's
  • Fucking With Me :D
  • sisilia
  • Hilda
  • please read again what i have written to you
  • Hot ...

The attachment is a ZIP file that contains one executable with a filename selected from this list:

  • Licence.exe
  • Pictures.exe
  • Secret.exe
  • Documents.exe
  • Vivid.exe
  • update.exe
  • XXX.exe
  • cool.exe
  • vitae.exe
  • error.exe

The ZIP filename consists of a string selected from this list, following by a random number:

  • Miyabi
  • nadine
  • hell
  • video
  • Doc
  • file
  • thisfile
  • need you
The sender address may be "spoofed" using one of these names and domains in addition to those collected from the affected system:
  • Agnes
  • Ami
  • Anata
  • Anton
  • Cicilia
  • Claudia
  • CoolMan
  • Davis
  • Emily
  • Firmansyah
  • Fransisca
  • Fransiska
  • Fria
  • HellSpawn
  • Joe
  • Joko
  • Julia
  • JuwitaNingrum
  • Lanelitta
  • Lia
  • Linda
  • Nana
  • Natalia
  • Riri
  • Rita
  • sasuke
  • SaZZA
  • Susi
  • Titta
  • Valentina
  • Vivi

The spoofed domain names are:

  • hackersmail.com
  • hotmail.com
  • gmail.com
  • msn.com
  • yahoo.com.sg
  • Lovemail.com

The worm collects email addresses to send itself to by searching files on all local fixed drives. It searches in any files with the following extensions:

  • txt
  • tml
  • asp
  • php
  • rtf
  • eml
  • .pl
  • spx
  • .js

It avoids using addresses containing any of the following strings:

  • security
  • avira
  • norman
  • norton
  • panda
  • mcafee
  • Syman
  • sophos
  • Trend
  • vaksin
  • novell
  • virus
Via Mapped Drives

A copy of the worm is written to the root of all mapped drives, and ZIP files found on the drive, using one of these filenames:

  • RealPlayer13-5GOLD.exe
  • Icon Cool-Editor 3.4.30315.exe
  • CheatEngine52.exe
  • framework-4.4.exe
  • Vista Transformation Pack 4.0.exe
  • Pack_Vista_Inspirat_1.6.exe
  • DeepUnfreezerU1.6.exe
  • Pack_Longhorn_Inspirat_1.6_code32547.exe
  • TeamViewer_Setup.exe

Via Network Shares

A copy of the worm is written to all subfolders, using the subfolder name as the filename, on all network shares to which the affected user has write access. For example, with a target subdirectory of \MyDocs, \Mydocs\MyDocs.exe is created.

If the network share is found to contain the Windows directory, the worm creates a subdirectory "moon" off the root of the network share. It then creates two files:

  • Elitta.htt
  • moonlight.exe
Desktop.ini is then modified to activate "Elitta.htt", which in turn executes "moonlint.exe".


Payload

Before the worm takes any further actions, it checks http://www.google.com/ to determine whether the affected system has Internet access.

Deletes Services

The worm attempts to delete these NT services (these services are components of Norman Virus Control):

  • nipsvc
  • Norman NJeeves
  • nvcoas

Norman Zanda

Deletes Registry Values

The worm deletes these registry values from

  • HKCU\Software\Microsoft\Windows\CurrentVersion\run and HKLM\Software\Microsoft\Windows\CurrentVersion\run:

  • ADie suka kamu
  • AllMyBallance
  • Alumni Smansa
  • AutoSupervisor
  • avgnt
  • BabelPath
  • Bron-Spizaetus
  • CueX44_stil_here
  • dago
  • dkernel
  • DllHost
  • Driver
  • drv_st_key
  • Grogotix
  • lexplorer
  • MomentEverComes
  • MSMSG
  • norman zanda
  • norman_zanda
  • Pluto
  • Putri_Bangka
  • Putri_Indonesia
  • SaTRio ADie X
  • service
  • SMA_nya_Artika
  • SMAN1_Pangkalpinang
  • SysDiaz
  • SysRia
  • SysYuni
  • Task
  • templog
  • Tok-Cirrhatus
  • TryingToSpeak
  • ViriSetup
  • Winamp
  • winfix
  • WinUpdateSupervisor
  • Word
  • YourUnintended
  • YourUnintendes

Delete Files

Selected files are deleted from Desktop, Favorities, Application Data, Startup and Windows folder. The correct path to the folders are identified by calling system API, so the function is language independent. Examples shown below are from English Windows:

  • \Documents and settings\\Desktop\windows*
  • \Documents and settings\\Favorites\*.exe
  • \Documents and settings\\Favorites\*.vbs
  • \Documents and settings\\Local Settings\Application Data\*.exe
  • \Documents and settings\\Start Menu\Programs\Startup\*.pif
  • \Documents and settings\\Start Menu\Programs\Startup\Romantic*
  • %WinDir%\MyHeart.exe
  • %WinDir%\KesenjanganSosial.exe
  • %WinDir%\FirstLove.exe*
  • %WinDir%\eksplorasi*
  • %WinDir%\CintaButa*
  • %WinDir%\ShellNew\*.exe

Source: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=61987
Subscribe to: Posts (Atom)