- the presence of the following file c:\resycled\boot.com and an autorun.inf pointing to boot.com.
- system running slowly
Please let BitDefender delete the infected files.
Dana Stanut, virus researcher
When run, this malware will first drop the following files in %TEMP% folder: tmp1.tmp and tmp2.tmp.
The first file will be injected in spoolsv.exe under the name dll.dll and this is the main component of the malware. It communicates with the following site via http: http://18.104.22.168. It is also able to change the DNS settings of the computer in order to steal user's sensitive information. The changed DNS addresses will be: 22.214.171.124 and 126.96.36.199. It will also create the following registry keys:
msqpdxaff @= 0xBFF
msqpdxid @= rfy... (the first DNS address crypted)
msqpdxinfo @= 3qxvy ... (the second DNS address crypted)
msqpdxpff @= 0x1F03
msqpdxrun @= 0x47 (the key used to decrypt the DNS addresses)
msqpdxsw @= 0x6802f719
The second file is a modified version of advapi32.dll which will be copied over the original version. It will be used to load the dll.dll file at every system startup (it is detected as Trojan.Patched.CK).
In order to spread itself on every removable drive, it makes a copy of itself in c:\resycled\boot.com and creates an autorun.inf file pointing to this copy of the worm.