Symptoms
- AVWAV32.DLL, KSPOOL.EXE in %system% folder
- FFASTIDX.DAT and debug1.txt in %systemroot%
Removal instructions:
Download the removal tool to disinfect the document files and clean the registry, then do a system scan with BitDefender to remove any remaining traces of the malware.
Analyzed By
Theodor-Iulian Ciobanu, virus researcher
Technical Description:
Upon execution the worm copies itself in the windows system folder as kspool.exe and adds a key in the system registry to be run upon startup, named
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Kernel spooler
It then proceeds to spreading, which is done by
a) copying itself as
>%DriveLetter%\MSSETUP.T~~\Uninstall Driver.exe
where %DriveLetter% is a network mapped drive, creating also a folder.htt file in the same folder, to run the malware when the folder is accessed by Explorer
and
b) by the dropped library, AVWAV32.DLL, which has file infector behaviour:
It scans the computer for document files (.doc, .xls, .ldf, .mdf) to which it prepends itself and whose extensions are changed to .exe. Upon execution of such a file, the malware infects the computer it is run on, drops the original document and opens it.
SHARE
THIS ON