10,240 bytes (upx packed)
(Backdoor.Win32.Breplibot.c (Kaspersky), Troj/Stinx-F (Sophos), W32/Brepibot virus (Mcafee))
It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software. See technical description below.
Prior to 10 Nov 2005 this malware was detected as BehavesLike:Win32.Sony-DRM-HiddenFile proactively
Please let BitDefender disinfect your files.
Patrik Vicol, virus researcher
Snyd.B is an improved variant of Snyd.A
The author has corrected a few bugs and changed a few strings.
Once executed, the virus will do the following:
1. Attempt to see if it is run in a sandbox, if it is, creates mutex "Super" and exits
2. Attempts to copy itself as %SYSTEM%\$sys$xp.exe, and if it doesn't succeed, retries every 1 second
3. Verifies if it is running for the first time, if by checking existence of mutex "$sys$xp.exe". If it is, will do:
- creates the registry keys
$sys$cmp" = "$sys$xp.exe"
- attempts to bypass the windows firewall, by running a batch file that will register the trojan as a trusted program in the firewall list
- sends notification of infection to an internet address on port 8080
4. If it isn't run for the first time, will do:
- connect to 5 irc servers and joins #cell channel and waits for commands from an attacker
the commands may allow the attacker to see uptime, delete, download and execute files, and see system information (the user name is constructed from computername, username and random characters)