approx 32700 bytes
Increased network activity.
Please let BitDefender disinfect your files.
Stefan Catalin Hanu, virus researcher
After execution, the malware copies itself to
C:\Program Files\Microsoft Common\wuauclt.exe
and connects to a remote server (91.203.[hide].[hide]:http). If needed, it will add an exception
to the Windows firewall. It injects code in the memory instance of svchost and sends sensitive information
about the infected computer ( such as the version of the operating system and the port
on which the virus can receive data ) and waits to receive a command. Based on
the operating system of the infected computer, the virus tries to download a
file from a certain address, that acts as an update. On the test machine, the file was %SYSTEM%\cpl32ver.exe.
The file can be found in the process list and could have 1 or 2 svchost child processes.
The malware has its own smtp server which tries to connect to the following addresses and send e-mails
It also connects to the folowing addresses:
It drops the rootkit component ( %SYSTEM%\drivers\[random].sys ) that hooks to the System Service Descriptor Table.
This way, the virus manages to hide the registry keys it creates.
For the process to start in safe mode, it creates the following registry keys:
So that the application can start with the operating system the folowing keys are added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpl32ver ( on the test machine )
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe