- increase of executable files with 18,951 bytes
- the text "firefox" at the end of infected executables
- the file kav.log in system32\spool\ folder
- the file taskmgr.exe (18,944 bytes) in folder \Program Files\Common Files\Microsoft Shared\Speech\
(eg: C:\Program Files\Common Files\Microsoft Shared\Speech\taskmgr.exe)
- the file dlg.dll (3,073 bytes) in folder \Program Files\Common Files\Microsoft Shared\Speech\
(eg: C:\Program Files\Common Files\Microsoft Shared\Speech\dlg.dll)
- presence of the next files in the root of each drive with write access:
autorun.inf (81 bytes)
folder.exe (18,944 bytes)
(eg: c:\folder.exe , c:\autorun.inf)
Due to a bug, the virus may display an error message about a missing disk in drive A:
Please let BitDefender disinfect your files.
Patrik Vicol, virus researcher
This is a prepender virus, it infects executables by adding itself to the begining of the infected host, thus executing first, and then spawning for execution the original host file.
Once an infected file is run, the virus will do:
1. Create the file kav.log in system32\spool\ folder
2. Create a copy or the worm as taskmgr.exe (18,944 bytes) in folder \Program Files\Common Files\Microsoft Shared\Speech\ and starts it
3. Creates mutex "kilVirus"
4. Attempts to disable various security applications
5. Checks for existence of some predefined files (pinyin.exe and protect.exe)
6. Creates copies of the virus in the root of each drive as folder.exe, also creates autorun.inf files there, linked to folder.exe (although a bug in this routine may ask for a disk in drive A: )
7. Starts infecting executables, matching files with extension: scr, com, exe, appends the text "firefox" at the end of the infected files