This is a file infector that has 2 components:
1. The main code that gets "injected" into the actual file and drops the main dll component
2. A DLL that will perform the actual infections (currently detected as Trojan.Delicium.A)
When an infected file gets executed, the virus will do the following:
- drop the dll file inside %windir%\system32 folder as dotnetfx.dll
- run the dll by passing it as an argument to rundll32.exe
- pass execution to the host
The DLL file is responsabile for making the actual infections.
When first ran, it will register itself at startup by adding the following registry key:
having the value: rundll32 dotnetfx.dll,repair and will add another registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\DotNetRecovery, setting its initial value to 'A'. Each time the dll is loaded, it will increment its value, and when it reaches 'Z', it will start its main infection routine. First of all, the virus will enumerate all accessible drives, will start searching files to infect (only .exe files will be infected), and it will delete every file
with one of the following extensions:
xls, mdb, doc, jpg, frm, wmv, mp3, sis, as, fla, APP, ppt, avi, mpg, 3gp, vb, jar, css, asp, aspx, jsp, java, pdf, psd, gif, cad, zip, rar and 3ds.
The infection mechanism is the following:
The virus will first read the headers, and check if the file is not already infected. As an infection-marker, it will write the ASCII string "PROZIUM32.." at the physical offset 0x4E (78 decimal) in the file. If it's not already infected, it will read its last section header and update its characteristics and size by reflecting the files properties after the infection. Then, it will write the code responsible for dropping the main component, and then it will append the entire DLL to that last section. It may also create a random-length overlay (probably to prevent infections by other viruses), that has the last 4 bytes set to the ASCII sequence ".MTS".