Symptoms
Presence of the specified files and registry entries.
Presence of the following processes:
- %system%\system.exe
- %windows%\userinit.exe
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Dan Anton, virus researcher
Technical Description:
When executed, the worm drops several copies of itself in:
- %system%\system.exe
- %windows%\userinit.exe
- [every removable drive]: Secret.exe
Also, it drops:
- %system%\MSWINSCK.OCX, a clean file used by the virus
- %system%\kdcoms.dll, a file in which the virus stores user's active windows titles and the following keys strokes:
Backspace, Tab, Shift, Ctrl, Alt, Pause, Esc, End, Home, Left, Right, Up, Down, Insert, Delete, F1-F12, NumLock, ScrollLock, PrintScreen, PageUp, PageDown- [every removable drive]: autorun.inf, in order that the worm is executed every time the drive is accesed
autorun.inf has the following content:
[AutoRun]
open=Secret.exe
;shell\open=Open(&O)
shell\open\Command=Secret.exe
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=Secret.exeThe virus modifies the registry value in order to be executed on every system startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:
Userinit =
%windows%\userinit.exe" (instead of the original file located in
%System%\userinit.exe")
The worm also downloads a file from:
http://files.myopera.com/[hide]online/files/task.rar, which also contains a copy of itself.
SHARE
THIS ON