- the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XRF, which points to %sysdir%\prestige.exe
- the "prestige.exe" file in the Windows System folder
- the file "m_regedit.exe" in the Windows folder
You should run the original registry editor (m_regedit.exe) and remove the entry XRF from HKLM\Software\Microsoft\Windows\CurrentVersion\Run, then delete the file regedit.exe and prestige.exe and copy m_regedit.exe to regedit.exe
Let BitDefender delete infected files.
Mihai Chiriac BitDefender Virus Researcher
This mass-mailing worm was written in assembly language. It arrives attached to an email message looking like this :
From: "Fotos_PresTiGe" email@example.com
Subject: fotos INEDITAS del PRESTIGE en el fondo del Atlantico!
When the worm receives control (executed by the user) it displays the following "error" message :
In fact, it copies the original regedit.exe to m_regedit.exe and then copies itself as regedit.exe. It even fetches the ICON resource from the original regedit.exe. Then the worm copies itself to the Windows System directory as "prestige.exe" and registers itself to be loaded on every system startup. The worm opens the Internet Account Manager registry key and gets from there mail informations about the current user. Using these informations and it's own SMTP engine, the worm encodes itself in BASE64, then compresses itself as ZIP file, sendind this ZIP file to the recipients stored in user's address book.
The worm uses anti-debugging code (IsDebuggerPresent API) and if debugged it exits withound sending the mails.
The worm contains the following text strings :
PresTiGe bY XRF GrP,Diciembre2002 XRF code HiStorY 1990-2002 (Virus FaseII Virus3 TestIV TheHanGeD AuTumM92 ScaNner _1993_ ScaMer ScaMNer ModUlaR VRandom VRamExE VRaPExE W32_1st GxSMTP Anti29A ReWind HooKeY VHooKeY XPector UXPector WKaPExE dfendEr & WKaPCOM )