approx 94 kb
- presence of the following hidden files in temp folder: cvasds0.dll and herss.exe
- presence of the following hidden files in root of the system drive: autorun.inf, bveijo.exe
- presence of the registry key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\herss,
Please let BitDefender disinfect your files.
Prelipcean Bogdan, virus researcher
This malware purpose is to steal information about online games.
When executed it copies itself to temp folder as herss.exe and drops a file named cvasds0.dll in the same folder, both hidden. The .dll file will then be injected into memory of explorer.exe and execution will continue from there.
The injected dll is responsible for the following actions:
- It will make an additional copy of the executable file inside root directory of the system drive, as bveijo.exe, and will
create an autorun.inf file pointing to it.
-It will register the executable file at startup by adding the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\herss pointing to ┘\temp\herss.exe
-It will uncheck the option "Show hidden files and folders" under Folder Options -> View by modifying the registry
-It will disable the Regedit tool
The injected dll will begin to steal passwords regarding several online games: MapleStory, Metin2, Knight Online, Silkroad
The propagation of the malware is assured by a periodically creation of the autorun.inf and associated executable files in the root folder of the local partitions and removable drives.