- Presence of "Systray
" key in autorun locations of windows registry.
- Presence of next files on the system:
- Increased internet traffic.
- "Friend users" from myspace.com
receives links with commentaries via Inbox messages from user with infected system.
Please let BitDefender disinfect your files.
Suiu Andrei, virus researcher
Once it is launched, it moves itself to C:\WIndows\mstre6.exe
and then it executes itself from the specified location.
It finds the default explorer cookies folder and searches into it for files which contain "myspace.com
If no appropriate files are found, it shows a MessageBox with the following text: "Error installing Codec. Please contact support
", creates a file in C:\Windows\tmark2.dat
and writes "1
" into it. This way it marks the operating system for its presence, and then it terminates itself, subsequently deleting its file. So the worm infects only systems which use myspace.com
If such cookies are found on the system, it adds an entry into the Registry autorun under the "Systray
" key name.
The worm also deletes the following registry key:
Next, it gets from its server (zzzping.com
) miscellaneous links and short captions to be sent via MySpace.com
. The links it attempts to send to the Myspace.com
contacts point users to a fake codec update, which proves to be an infected binary file containing a copy of the worm.
This technique is extremely efficient, especially given the fact that users are more likely to trust links sent by friends than by unknown contacts. The worm spreads from one system to another by using the Myspace