+13kB, dropped dll ~18 KB
Some applications fail to launch properly. Rundll32.exe executes an obscure dll (named for example "90c.tmp" in %TEMP% folder).
The dropped dll has the following description embedded in it: "Microsoft OLE for Windows stub" and it's original name is set to "Ole16.dll".
Win32.Fidcop.A infects executable files larger than 524288 bytes. It does this by scanning random fixed media (hard drives, flash drives etc.) In order not to attract attention it doesn't infect files in folders that have the following string in their paths: "win", "program files", "documents and", "_restore", "music". Another restriction is that infected executables must be for the i386 architecture and have an standard image base (0x400000).
Method of infection: replaces a part of the first section with some of it's code (aprox. 1.5Kbytes). The other code is packed in overlay. This part creates a temporary dll file (ex. 90.tmp) and then runs it using rundll32.exe. This dll is the main virus body and has the role to infect other files and run the original file. The Win32.Fidcop.A hides two cabinet files in it's body.