- Existence of "autorun.inf" ( which has on the first line the text "forgiveme" ) in your root of the removable storages, along with the file "information.vbs".
- The following value in your registry : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run -> "Explorer" which leads to this file : %system32%\.vbs , where %system32% is the path to [drive of the running OS]:\windows\system32.
- Appearance of these files :
- General lower performance of your computer and a process("wscript.exe") that runs without the user using VBS ( Visual Basic Scripts) . Take notice that this process doesn't belong to the malware, but it can be a sign of infection if it persists without explicit usage of a script.
Please let BitDefender disinfect your files.
Daniel Chipiristeanu, virus researcher
This is a script written in Visual Basic Script ( VBS ) which is ran with "wscript.exe" that comes with the OS. The virus acts like a worm.
At first it deletes any files or folders that might have the same path with the future worm files (detailed later on).It has a function that hides (sets the attributes for the file "hidden
" ) the files from user view. It does this with the original file that the user executes.
After it copies itself in a path of the operating system ( "Windows\system32" ) with the name ".vbs
" . After that it creates these files :
- "%System32%\.reg" with contents described below that then adds to the registry using regedit.exe.
Windows Registry Editor Version 5.00
This will hide the system files from the user while he explores the content of the hard-disk.
- "%System32%\.uce" that looks like an usual "autorun.inf" which you will find in the root of the removable storage device that the worm uses to execute himself and spread the infection on to other computers.
- "%System32%\.pif" that stores the date in the infection occured.
- "%System32%\.vbs" which is a copy of the malware hidden from user.
It infects removable devices copying the file "%System32%\.uce
" on the root of it with the name of "autorun.inf
" and the original script with the name "information.vbs
". Afterwards it checks that the current autorun.inf starts with the text "forgiveme
" as it checks for the integrity of the script : on the first line it must have the text "'xiao1
It downloads files from the folowing site : http://?xx3.cn/ and saves them in to the temp folder with the name ".pif" and execute as ".pif.exe".
It sets itself and the downloaded files in the windows tasks so it runs at a specific time that is relevant to the time of infection.
It sets this registry value : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run with "Explorer
", that runs the malware at startup.