| Risk Assessment | |
| - Home Users: | Low |
| - Corporate Users: | Low |
| Date Discovered: | 6/15/2007 |
| Date Added: | 6/15/2007 |
| Origin: | N/A |
| Length: | 1,72,032 bytes |
| Type: | Virus |
| SubType: | Win32 |
| DAT Required: | 5054 |
Virus Characteristics
When this malware is executed, it creates the following folders.
- %My Documents%\Rated R Pictures
- %Windir%\gorgle
- %Windir%\setup
This malware creates multiple copies of itself in several locations. Some of these are,
- c:\CoolWorld.exe
- c:\Documents and Settings\All Users\Desktop\Microsoft Word Document.scr
- c:\Documents and Settings\All Users\Start Menu\New Microsoft Word Document.scr
- c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word Document.scr
- c:\Documents and Settings\All Users\Start Menu\Programs\Startup\folderwiz.com
- %userprofile%\My Documents\My Picture.com
- %userprofile%\My Documents\Rated R Pictures.com
- %userprofile%\My Documents\My Pictures\mskernel.exe
- %userprofile%\NetHood\Hot Picture.com
- %userprofile%\PrintHood\Printing Information.com
- %userprofile%\SendTo\Image Editor.com
- %userprofile%\Start Menu\Image Viewer.com
- c:\Program Files\phil.constitution.scr
- c:\WINDOWS\agila.scr
- c:\WINDOWS\AutoRun.ini
- c:\WINDOWS\lsass.exe
- c:\WINDOWS\services.exe
- c:\WINDOWS\gorgle\csrss.exe
- c:\WINDOWS\setup\mskernel.exe
- c:\WINDOWS\system32\mskernel.exe
It copies itself into multiple drives in the system.
It also creates the following file, for executing the malware when the drive is accessed.
- C:\autorun.inf
This malware then searches for and infects the files with the following extensions
- doc
- rtf
- jpg
- gif
- png
It infects the above files by prepending itself to these files.
It changes the icon of the infected files to M.S.Word icon and the extension to scr or exe.
It also appends 35 bytes to the end of file along with the extension of the original file.
This malware adds the follwing registry entries for loading at system startup
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinRun" Data - C:\WINDOWS\AutoRun.ini
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)" Data - \WINDOWS\lsass.exe
It adds the following registry entries to disable Run, folder options and to hide the file extensions.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "Run"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt "CheckedValue"
It also adds/modifies certain other registry entries for its functioning.
This malware also drops the file "email32.vbs" into the Windows directory, which is a mass mailer component detected as W32/PetTick.vbs.
This is used to send out copies of the file infector via e-mail using harvested e-mail addresses from the system.
Changing of the file icon for the file types - png, jpg, gif to M.S.Word icon.
Increase in file size by 172067 bytes for the infected files.
Presence of the files and registry entries mentioned.
Method of Infection
This parasitic file infector spreads by copying itself to multiple locations and to different drives in the system.
It also spreads by using the mass mailing component detected as W32/PetTick.vbs.
The files get infected when the user executes the malware which is disguised as being an M.S.Word document.
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.