My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~ 8 kB


Increased system activity (network usage and removable disk usage).

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Adrian Popescu, virus researcher

Technical Description:

It verifies if his process name is: “explorer.exe”, if not it moves of the file:
"%SYSTEM%\dllcache\explorer.exe" into "%TEMP%\lorer.exe"
It infects the file copied and after that it copies the file into "%WINDOWS%\explorer.exe".

After that it infects all *.exe and *.scr files only from removable disks and connected network drives, without changing the size and creation time of the original files, but writing his malicious code in empty zones of the file.
When infecting a file the virus is making 3 threads. First one is used to create the infection process for the host file.
The second one is the one that infects the removable disk files. The virus is searching for the removable disk starting with “Z:” and descending until “D:”
The third thread is the one that infects the network files. The infection is made only in directories named:
  • “Windows”
  • “system32”
  • “winnt”
  • “dllcache”
and with the following names:
  • “readbook.exe”
  • “qq.exe”
  • “icesword.exe”
  • “aspack.exe”
  • “iris.exe”
  • “iexplore.exe”
  • “navapw32.exe”
  • “navapsvc.exe”
  • “nmain.exe”
  • “navw32.exe”
  • “kvfw.exe”
  • “kavsvcui.exe”
  • “kavpfw.exe”
  • “kav32.exe”
  • “kvxp.kvxp.kxp”
  • “kvsrvxp.exe“
  • “kvmonxp.kxp“
  • “kvwsc.exe“
  • “kavsvc.exe“
  • “kwatchui.exe“
  • “ravmond.exe“
  • “ravmon.exe“
  • “ravtimer.exe“
  • “rising.exe“
  • “rav.exe“
  • “ravmon.exe“
  • “ravtimer.exe“
  • “iparmor.exe“
  • “trojanhunter.exe“
  • “thguard.exe“
  • “pfw.exe“
  • “eghost.exe“
  • “mailmon.exe“
  • “firefox.exe“