Some processes named Windows.exe are running.
Computer may slow down.
Win32.Rays.H was written in Visual Basic 6.0. The virus has a single window (witch it hides by moving it outside the screen coordinates). An internal timer perform the following actions every one seconds:
a) It creates the following files on every local disk :
Ø Windows.exe and ghost. Bat. Those files are copy of the original file
Ø NetHood.htm a script code that runs windows.exe
Ø Folder.htt (the same script code as NetHood.htm), except that it is marked as a read-only and hidden. Windows uses this file when opening a folder. That is why, whenever the user uses explorer.exe to view content of a folder this script will be executed first (witch means that the virus will be executed).
Ø desktop.ini ( a hidden and read-only file )
b) It copies itself on every subfolder with the same name as the folder. It also creates a folder.htt in every subfolder. (In a folder named MyFolder, it will be a myfolder.exe and a folder.htt).
c) It also copies itself in %WINDIR%/fonts as a random file name (58dd2.exe)
d) It modifies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurentVersion\Run, key=”TempCom”, value = “%WINDIR%/fonts/<rundomname>.exe” witch will automatically run virus when Windows starts.
The virus is spreading thru floppy disks and sharing (mainly because of folder.htt that is executed whenever a user opens that directory from explorer.exe)