Presence of the specified files and registry entries.
Presence of the following processes:
Please let BitDefender disinfect your files.
Dan Anton, virus researcher
When executed, the worm drops several copies of itself in:
- [every removable drive]: Secret.exe
Also, it drops:
Backspace, Tab, Shift, Ctrl, Alt, Pause, Esc, End, Home, Left, Right, Up, Down, Insert, Delete, F1-F12, NumLock, ScrollLock, PrintScreen, PageUp, PageDown
- %system%\MSWINSCK.OCX, a clean file used by the virus
- %system%\kdcoms.dll, a file in which the virus stores user's active windows titles and the following keys strokes:
- [every removable drive]: autorun.inf, in order that the worm is executed every time the drive is accesed
has the following content:[AutoRun]
The virus modifies the registry value in order to be executed on every system startup:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = %windows%\userinit.exe
" (instead of the original file located in %System%\userinit.exe
The worm also downloads a file from:http://files.myopera.com/[hide]online/files/task.rar
, which also contains a copy of itself.