Please let BitDefender delete the worm.
Edit the file "%SYSTEM%\\drivers\\etc\\hosts" and delete all the lines begginig with:
except this one :
" 127.0.0.1 localhost" .
Once executed, the worm copies itself as "%SYSTEM%\\beta.exe" and creates the following registry keys in order to be executed at startup:
- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WINDOWS SYSTEM = "beta.exe"
- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\WINDOWS SYSTEM = "beta.exe"
The worm scans the local drives for files with extensions:
TXT, HTMB, SHTL, JSPL, CGIL, XMLS, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, HTML, WAB,
and scans them for email addresses which will be used for spreading.
To send an email the worm tries to guess the SMTP server of the email's domain, using suffixes like:
(e.g. for email@example.com it tries SMTP servers like mx.somewhere.com, mail.somewhere.com), or using the local user's SMTP server found in registry key
"HKCU\\Software\\Microsoft\\Internet Account Manager\\Accounts\\SMTP Server"
The mail's subject is one of following:- *DETECTED* Online User Violation
The mail's body could be one of the following:
- The original message has been included as an attachment.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
- We attached some important information regarding your account.
- Please read the attached document and follow it's instructions.
- We attached your account information.
- Please confirm the attached document!
The message also contains an attached file, with random name or with a name from the following list, with extensions "[doc/htm/txt] .[exe/scr/pif]"
Also, the worm is an IRC bot, so it can recieve commands like download and execute any file from internet, including it's own updates, can send any local file, or system information.
The worm terminates a large list of processes that could detect or stop it, also it modifies the Windows hosts file to prevent the antivirus programs from updating.