My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Autorun.ND

MEDIUM
LOW
229621 bytes

Symptoms

The presence of the file smss.exe in the windows directory
Files being sent on yahoo messenger with out your consent.
Unable to see the task manager or the folder options window.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Razvan Benchea, virus researcher

Technical Description:

When executed the file copies itself to

%windir%\killer.exe

%windir%\Funny UST Scandal.exe

%windir%\smss.exe

It creates an autorun.inf file inside windows directory so every time the user enters the windows directory the smss.exe file created above will be executed.

It creates a copy of the virus on the root folder of each drive under the name of smss.exe and Funny UST Scandal.exe. The autorun.inf is also copied so the virus can start each time an user enters on one of the drives using windows explorer.

In order to start at windows startup, it copies itself to

%WindowsDrive%\Documents and Settings\All users\Start Menu\Programs\Startup\lsass.exe

it adds a value named RunOnce under the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run

it modifies the value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell so the virus will start with explorer.exe

it modifies the value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL to 0 so the hidden files won’t be seen.

When it finds a window that starts with one of the word “Task”,”Process”, ”Registry”, ”Setup”, ”Installation”, ”Virus”, ”Configuration”,”Policy”,” “system32”, ”Security”,”Folder Options” it closes or hides the window.

It searches for an active conversation on yahoo messenger, types the message “open dis ganda nakakatawa” and then send the virus.

It changes the user status to “sino gusto funny scandal ust pm nio ko”;