Win32.Worm.VB.NPM
MEDIUM
HIGH
aprox 150 kb
()
Symptoms
A running process named "System.exe" with the path "%Windows%\System.exe" and an icon of a folder.
A hidden folder in every accesible drive named "Recycled" .
When executed it shows a explorer window of an empty directory with the caption of the malware file name (without the extension ).
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Daniel Chipiristeanu, virus researcher
Technical Description:
When executed it shows a explorer window of an empty directory.
The malware creates on all drives the following files :
[DRIVE]:\autorun.inf
[DRIVE]:\Recycled\desktop.ini
[DRIVE]:\Recycled\INFO.exe
and sets the autorun.inf file to execute itself each time the drive is accessed.
shell\open\Command=RECYCLED\INFO.exe
shell\open\Default=1
shell\explore\Command=RECYCLED\INFO.exe
It drops
* %WINDOWS%\Config\Svchost.exe which is a copy of itself;
* %WINDOWS%\Config\System.exe
* %WINDOWS%System.exe .
The last two files are created for the folder window proprieties.
It modifies the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
(initiates malware programs when the system boots.),
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System
and sets these values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\ValueName
( " HideFileExt ")
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ValueName
(" ShowSuperHidden ").
SHARE
THIS ON