5120 bytes (packed)
- Presence of the next files in %SYSTEM% folder:
regedit.exe (5120 bytes)
- Presence of the next registry keys or entries:
where %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Patrik Vicol BitDefender Virus Researcher
Once run, the virus does the following:
1. Creates a mutex COMP_NAME-sncZZmtx_133
where COMP_NAME is the victim's computer name
2. Deletes %SYSTEM%\regedit.exe and creates a copy of the virus as %SYSTEM%\regedit.exe
Note: Window's Registry editor regedit.exe resides in Windows (WinNT) folder.
3. Creates the registry key mentioned in Symptoms
4. Sees if the computer is connected to internet, if not, it waits for the computer to connect.
5. Starts a new thread that attempts to attack www.microsoft.com if the day is greater than 12, except January.
6. It spreads using the backdoor installed on port 3127 by the first Mydoom variant.