(I-Worm.Mimail.u (Kaspersky), Troj/Pinbol-A (Sophos), W32/Cyclop.A.worm (Panda))
Presence of the following file in Windows System directory: SMVC32.EXE
Presence of the following registry key:
with the value:
SMVC = %SYSDIR%\SMVC32.EXE
Let BitDefender delete all files found infected with this worm.
Adrian Gostin BitDefender Virus Researcher
When ran, the worm does the following:
Copies itself to Windows System directory as SMVC32.EXE.
Creates the following registry keys:
- HKLM\Software\Microsoft\CurrentVersion\Run\SMVC = %SYSDIR%\SMVC32.EXE, so it will be executed every time Windows starts up;
- HKCU\Software\socks\ ;
Connects to an predefined IRC server and listens for commands (such as "execute", shutdown" etc.).
Harvests e-mai addresses from the infected computer, stores them in "c:\cyclop.bin" file and periodically sends them to the attacker through e-mail.