- Presence of the next files in %SYSTEM% folder:
AU.EXE (11,264 bytes)
- Presence of the next registry keys:
with the entries gid and frn
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
Patrik Vicol BitDefender Virus Researcher
It arrives in an e-mail, formatted like this:
From: (spoofed address, could be anything)
Subject: ID %random_letters%... thanks
Yours ID %random_letters%
Attachment: %random_letters%.exe (11,264 bytes)
Subject: ID ldksy... thanks
Yours ID rnhyijwo
Attachment: jeqcnfmbiv.exe (11,264 bytes)
When run, the virus launches sndrec32.exe (Sound Recorder from Windows)
Then, it starts searching for e-mails in files with the following extensions:
wab txt htm html
Then, it tries to send itself to all the e-mail addresses found, in the e-mail format described above.
It sends a notification message to a list of web sites; the message contains information about the infected computer.
This information could be used for uploading other executable files to the infected computers.
The worm starts a thread that listens for connections from a remote machine.
This connection it is used for downloading a file and executing it, and it may be used as an auto update mechanism.