~ 27 Kb
(Virus.Win32.Drowor.A, Trj/QQpass.PL, W32.Jacksuf.A, W32/Cekar, Worm.Delf.bg, W32/Trojan.AATR)
- The presence of a file name "internat.exe" in the %WINDOWS%\system directory (attention, not the %WINDOWS%\system32, that one is a legitimate component of Windows) with a size of ~30 Kb
- The presence of a file named "setup.exe" in the root directory
- The presence of a file named "autorun.inf" in the root directory
Because the malicious code has a great potential of damaging the executables during the infection process, the infected files should be restored from the original install kits. Also, because the infections are performed by code injected in core system services (crss.exe and smss.exe) which can not be terminated during normal windows operation, the cleaning should be performed off-line.
Attila Balazs, virus researcher
This is a mixed threat, composed out of
- a file-infector component which increases the size of the executables with ~30K
- a downloader which downloads and executes a file from a given URL (the url seems to be inactive for the moment)
Upon execution of an infected file, it drops the payload in the %WINDOWS%\system\internat.exe file. This in turn injects code in crss.exe and smss.exe which performs the infection. An other copy of the malware is dropped in the root folder with the name "setup.exe" and an autorun.inf file is created in the root referencing the "setup.exe" executable to ensure its start-up.