Win32.Rays.H

( Rays )

SYMPTOMS:

Some processes named Windows.exe are running.

Computer may slow down.

TECHNICAL DESCRIPTION:

Win32.Rays.H was written in Visual Basic 6.0. The virus has a single window (witch it hides by moving it outside the screen coordinates). An internal timer perform the following actions every one seconds:

a)      It creates the following files on every local disk :

Ø      Windows.exe and ghost. Bat. Those files are copy of the original file

Ø      NetHood.htm a script code that runs windows.exe

Ø      Folder.htt (the same script code as NetHood.htm), except that it is marked as a read-only and hidden. Windows uses this file when opening a folder. That is why, whenever the user uses explorer.exe to view content of a folder this script will be executed first (witch means that the virus will be executed).

Ø      desktop.ini ( a hidden and read-only file )

b)      It copies itself on every subfolder with the same name as the folder. It also creates a folder.htt in every subfolder. (In a folder named MyFolder, it will be a myfolder.exe and a folder.htt).

c)      It also copies itself in %WINDIR%/fonts as a random  file name (58dd2.exe)

d)      It modifies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurentVersion\Run, key=”TempCom”, value = “%WINDIR%/fonts/<rundomname>.exe” witch will automatically run virus when Windows starts.

The virus is spreading thru floppy disks and sharing (mainly because of folder.htt that is executed whenever a user opens that directory from explorer.exe)

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dragos Gavrilut, virus researcher