Symptoms
- The Internet Explorer main Page is set to: "http://www.299my.com/"
- Presence of next files on local file system:
C:\net.exe
C:\Program Files\win.ini
- Growing in size of some executable file by 575 byte or less.
- Some insallers become currupted.
- Presence of an Internet Explorer process without existing window.
- Inceased internet traffic
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Suiu Andrei, virus researcher
Technical Description:
When is executed, the virus waits 5 minutes and then tries to find an existing Internet Explorer process.
If it doesn't exist, it creates one and injects itself into Internet Explorer process, creating there a new thread which tries
to download a file from http://[xxx].tesekl.info/[xxx]/win.ini (which is another virus) and terminates the process.
After that, main process executes that file and begins the infection of executable files on local hard-drive.
It searches for *.exe and *.scr files and infects them with Win32.Cekar.A.
Most of installer packages will become corrupted because the virus modifies the overlay data in an irredeemable way.
But the rest of files and all code data from executables can be restored by BitDefender.
SHARE
THIS ON