(Trojan-Downloader.Win32.VB.hsi; W32/Autorun.worm.dq.gen virus)
The presence of the following files in %SYSTEM% folder:
- XP-D41D8CD9.exe - this one has a folder icon in order to trick the user to open it
- og.dll, og.EDT, ul.dll - these files are hidden and are not executable files
- com.run, dp1.fne, eAPI.fne, internet.fne, krnln.fnr, RegEx.fnr, shell.fne, spec.fne - these are library files of the E language
Please let BitDefender delete your files.
Dana Stanut, virus researcher
When first run, this malware will drop the library files related to E programming language in %TEMP%\E_4\ folder. Later, these files will be copied in %SYSTEM% folder with hidden attribute set. A copy of this worm will be created in %SYSTEM% folder under the name XP-D41D8CD9.exe along with the following registry key which will make this file to be run at every system startup:
Name : XP-D41D8CD9.exe
A link to this file will be added in the Startup Menu under " iiiiii ".
Next, it will drop og.dll, og.EDT, ul.dll in %SYSTEM% folder. These files are note executable, they contain only some crypted data.
The malware will then attempt do download the following files on the user's computer:
(When this description was made, only the second link was stiil active and the downloaded file contains crypted data that will be used by the worm).
At every 30 seconds it will check for removable drives and if found, it will copy itself under Recycled.exe and create the autorun.inf file that will run that copy.