SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Donghe.A@mm

LOW
MEDIUM
49152 bytes
(N/A)

Symptoms

  • file exporler.exe in Windows System directory;

  • exporler.exe %1 %* in the Default value of the registry key:
    HKLM\SOFTWARE\Classes\exefile\shell\open\command

  • file MSKernel.vbs in Windows System directory

  • file Win32Dll.vbs in Windows directory

    • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Go to the following key:
        HKLM\Software\Classes\exefile\shell\open\command
        and change the Default value (from the right pane) to %1 %*.

      3. Delete the following keys:
        MSKernel32 from
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
        Win32Dll from
        HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Donghe.A@mm.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    The virus arrives trough e-mail in the following format:
    From: random generated name
    Subject: a Chinese string randomly selected from a hard coded list. There is a small chance that in subject will be the following text: just for my father !.
    Attachment: Hello.exe or Hello.vbs

    When the user opens the attachment the worm will copies itself in System directory with the name exporler.exe. After that it replaces the value Default of the following registry key:
    HKLM\SOFTWARE\Classes\exefile\shell\open\command
    with exporler.exe %1 %*. In this way the worm will be executed every time when an exe file is opened.

    The worm tries to send 10 emails at every windows session. It uses 7 hard coded free SMTP servers and the e-mails will always be sent only to the users that have e-mail accounts on those servers. The e-mail addresses are randomly generated from some hard coded strings. At every e-mail sent there is a 50% chance that the worm will send a vbs attachment with it's payload instead the worm itself.

    When the user opens the hello.vbs attachment the script creates two copies of itself: %Windows%\Win32Dll.vbs and %System%\MSKernel.vbs.

    It will also add two registry keys:
    MSKernel32 with value %System%\MSKernel.vbs in
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    and Win32Dll with value %Windows%\Win32Dll in
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    It also changes the startup page with the URL:
    http://www.hziee.edu.cn
    After that it will search for every file with extension: exe, dll, dat, mp3, doc and it will delete them.
    Antivirus Software For Home Users
    Business Security Solutions
    Latest News
    Tools & Resources