- presence of the file “winldr.exe” in the %sysdir% directory - presence of the file “dload.dat” in the %sysdir% directory. - presence of the file “url.dat” in the %sysdir% directory.
At startup, the virus copies itself to the %sysdir% directory under the name “winldr.exe”. However, the virus is not run like an ordinary process. Instead, it injects itself in svchost.exe and runs the rest of the virus as a thread in that process, therefore all the malicious actions seem to come from svchost.exe (which is a legitimate and critical Windows process).
The method the virus uses for automatic loading at system startup is the following: it registers itself as a system shell under the key HKLM\MicrosoftWindows NT\CurrentVersion\WinlogonShell. It then registers the current process as an “authorized application” in the system’s firewall list, therefore enabling unrestricted network access.
Once the basis have been established, the virus proceeds to the next stage: self propagation. It has two spreading methods: P2P attacks and mass mailing.
The virus searches in the registry the sharing folders of a few P2P programs (some of the largest and most commonly used). The affected programs: Kazza, Imesh, Morpheus, E-Donkey, LimeWire. The virus searches these folders for all files with the .exe extension and modifies them so that the files contain also copies of itself.
The virus will search all local drives for files that have one of the following extensions:
.wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp
It extracts the e-mail addresses that may reside in those files and then creates threads that will send attachements of itself to those addresses.
From: “name” "complete_email" (spoofed)
To: “name” "complete_email"
Subject: (random string)
The virus will extract what may be the name in the e-mail address (for example, will extract Joe from email@example.com) and put it in the From and To fields.
The virus will not send e-mails to addresses that contain one of the following strings:
@hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin crosoft @messagelab root@ abuse panda linux unix spam antispam
The virus uses its own SMTP engine.
The virus will alternately try and download files from a list of predefined sites and execute them or extract information from them. It will use for this purpose a few additional files for storage of information (url.dat and dload.dat).
List of sites: