Unsolicited messages in Instant Messaging applications which have the following form (picture below): "foto :D [shortend_url]" . The shortened URLcontains the worm which has the icon of a picture so it can trick the user that the malware is in fact a photo. If the user executes the file then an explorer window will appear, followed by a new browser window containing a list of contacts from a known social networking Website. After, it hides itself by modifying the properties of the file (to hidden).
Please let BitDefender disinfect your files.
Daniel Chipiristeanu, virus researcher
The Trojan spreads by spamming instant messages to contacts.
The malicious application copies itself in the operating system's folder with the name "jusched.exe", which is similar to a known programming language file. In order to start itself each time the operating systems runs the following registry values are added :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with "Java developer Script Browse" which contains the path of the Trojan "%Windir%\jusched.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run : "Java developer Script Browse" with the value "%Windir%\jusched.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run : "Java developer Script Browse" with the value "%Windir%\jusched.exe"
It adds itself as an authorized application for the system's firewall by adding a value into the following keyHKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List .
It stops the Windows Automatic Updates Service, preventing the user from getting the necessary updates, including the ones that ensure the security of the system. It also tries to stop msmpsvc.exe which belongs to Microsoft Malware Protection Service.
It has the ability to send messages to contacts on the following instant messaging applications : Skype, Yahoo Messenger, AIM (AOL Instant Messenger).