1. Presence of wgareg.exe file in %SYSTEMDIR%
2. Presence of the following registry key:
3. Presence of a service with the following properties:
Display Name: Windows Genuine Advantage Registration Service
Description: "Ensures that your copy of Microsoft Windows is genuine and registered.
Stopping or disabling this service will result in system instability"
This service will be restarted by Windows if it is killed.
4. Windows Security Center Firewall and anti-virus monitors are disabled.
5. Active TCP connection to bniu.househot.com or ypgw.wallloan.com on port 18067
6. A harmless file named dcpromo.log exists in %WINDIR%\\Debug\\ size 0 bytes.
7. A mutex is created with name "wgareg".
8. AIM (AOL Instant Messanger) may be forced to close.
9. Possible increase of internet traffic.
Stop the service, and then remove
from registry, kill the process, then erase %SYSTEMROOT%\\wgareg.exe
Marius Tivadar, virus researcher
The file is packed and encrypted to hide it's malicious code. When is first run, the virus starts a thread that will check if the program is being debugged, and will immediately exit if it discovers an user-level debugger. On next step, will copy itself in windows system directory, then will install itself as a windows service with name "wgareg". The service is configured so, it will be automatically restarted by windows if it is killed. Next, the virus will start explorer.exe in suspend mode, then will inject code in this process. The injected code, has to wait for the virus to exit, and then will erase the file. After erasing the file, the process will exit.
Same, after installing the service, the virus will exit. Next, the virus is started by windows because now it is registered as a service. The virus is started from %SYSTEMDIR%\\wgareg.exe. This time, the virus will skip the installation part, and will begin the main activity. First, will create a mutex named "wgareg", for exclusivity. Next, it will disable the windows security center firewall, and anti-virus monitors by modifying registry keys, and will create dcpromo.log in %WINDIR%\\Debug\\ , size 0 bytes. This way, it will protect the computer against MS04-011 vulnerability. Next, it will try to connect to irc-server net32.vr0k.com.ar on port 18067, and will attempt to join a password-protected channel named #N1.The nickname is random created and it's form is N1-xxxxxxxx, where xxxxxxxx is a random number. After connecting, it stays and listens in background for commands.
Commands are powerfull enough to upgrade the virus, uninstall, download a file from internet and execute it, open a shell, run any process from infected computer, execute any irc command, search for a file, syn-flood, take control of instant messanger.
worm-like, exploits the MS04-011 vulnerability on demand and transmits itself.