Increased system activity, CPU usage and network usage.
Presence of the files:
"% WinDir %\Tasks\0x01xx8p.exe"
Please let BitDefender disinfect your files.
Adrian Stefan Popescu, virus researcher
The malware is a file infector that affects PE executable files.
When an infected executable has been run, it drops only the malware code from an infected file into: %Temp%\ WinDir.EXT
and runs it.
When it runs it copies itself into %WinDir%\Tasks\0x01xx8p.exe
First it infects the file %System%\spoolsv.exe
After this infection, it tries to download a configuration file into one of these files:
- % WinDir %\kkk.txt
- % WinDir %\config.txt
With the instructions from the configuration file it does the following:
1. Download files from: http://888.[REMOVED].com/00/
and run them
2. It infects all the web related files with the extension:
The infection is done by writing one or more lines at the end of the file, lines that can be found in the configuration file.
3. Infects all the PE files from all fixed drives with the following extensions:
With the exception of:
4. Spread throughout all removable drives. This is done with the creation of an “autorun.inf
” which runs a copy of the malware code that had been copied on the removable drive.
If the host computer doesn’t have internet connectivity only the file: %system%\spoolsv.exe
is infected and copies the infected spoolsv.exe
into removable drives and create an “autorun.inf
It also kills all processes which run the following files: