- File PrTecTor.exe, m_prgrm.zip, m_Base64.xrf, m_WAB.xrf in system directory (usually C:\Windows\System (Win95/98/Me); C:\WINNT\System32 (WinNT, Win 2000); C:\Windows\System32 (WinXP))
- File m_regedit.exe in Windows directory
- If the date is set to the year 2003, Windows will shut down immediately after logon.
- let BitDefender delete infected files
- rename m_regedit.exe to regedit.exe and then using it delete the registry value shown above
Costin Ionescu BitDefender Virus Researcher
This is an internet worm written in assembly language using encryption techniques in order to slow the analysis process. The virus works on all Windows platforms for Intel processors.
The worm comes as an attached zip file to a mail with the format:
From: Alerta_RaPida firstname.lastname@example.org
Subject: ProTeccion TOTAL contra W32/Bugbear (30dias)
If the user unzip the archive and executes the file ProTecT.exe the virus will show the following fake message (only when executed the first time):
After the user press the OK button, the virus renames the original regedit.exe file to m_regedit.exe and copies itself as regedit.exe, changing it's icon to regedit\'s default icon. Next it checks the date to be in the year 2003, in which case will exit Windows.
It installs itself in the system directory as PrTecTor.exe and sets the registry value:
With the string data equal to the PrTecTor.exe full path.
It reads the information about the default Internet Account and steals the e-mail addresses from the WAB (Windows Address Book) and puts them into the file m_WAB.xrf from the System directory. It creates a ZIP archive m_prgrm.zip which will be used as an attachment in the infected e-mails, and encodes it in Base64 format (used in e-mail attachments).
After this it checks every minute for an internet connection and when the user connects to the Internet will start sending e-mails with the format shown above to e-mail addresses stored in m_WAB.xrf file. After it sends a successful e-mail, it will delete it from that file.
Disguising itself as regedit.exe, when the user will try to run regedit.exe it will delete the above registry key (so the user cannot detect it by looking to that registry key) and when the program is closed it will write back the registry value.
The author is probably Spanish and calls himself XRF. He named this virus WKaPCOM.
Sending the virus inside an archive will probably trick some deficient antiviral protections at user level or mail-server level.