Symptoms

Removal instructions:

Analyzed By

Technical Description:

When executed the virus drops the following files:

%WINDOWS%\system32\drivers\acpidisk.sys %WINDOWS%\system32\mprmsgse.axz

%WINDOWS%\system32\mscpx32r.det

Creates the following registry keys:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}
•  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}
•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\acpidisk

By creating a key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services the virus ensures that the system will load the driver acpidisk.sys on reboot. When acpidisk is executed it drops the file winlib.dll in %windows%\system32. It then injects the dll in winlogon. From now on acpidisk.sys will intercept the creation of every process and set an event each time it detects that Internet Explorer has been started.

            When winlib.dll is executed it creates a copy of itself in %Temp% with the name ~my[unique number].tmp. It then deletes the original file and the execution continues with the file running from the %Temp% folder. It then downloads pctools.dll from [hide].chnsystem.com and saves it to %Temp%.

            Pctools.dll is the dll that shows the popups. When executed it checks that it is running from internet explorer (it also starts with explorer.exe) and that the operating system is newer than windows 2000;

       It then start to show popups at random time intervals form sites like

• zuoyoukong[hidden].com
• yiq[hidden].com
• 51[hidden].com