BitDefender weekly review
When the worm is executed, it will make certain changes to
the registry to ensure it will be run on every system startup on the infected
machine. Next it will create the hidden file “C:boot.ini.ini” in which it will
write the current time and logged in user. Then it creates a copy of itself
inside the root directory of every accessible drive under the name
“ntdetect.exe” and create an autorun.inf file which point to the previously
In order to avoid antivirus detection it creates another
copy of itself in %windir%system32system.exe and continues execution from
that new location.
The new instance will perform the following actions every
rewrite the startup registry key
check if any of its files have been removed, in
which case it simply recreates them
make new copies of autorun.inf, boot.ini.ini and
ntdetect.exe on every drive
make changes to the registry so that hidden
files are not displayed, file extensions are not shown and system directories
are not searchable with windows explorer
In case the registry editor or the task manager are started
by the user, the worm immediately kills them by searching all opened window
titles that contain the strings “registry editor” or “windows task manager”. In
case a window with “folder options” is opened, it will minimize it and change
its title to “Registry error!”.
The worm has a tricky way of removing itself or stopping
execution, probably remnants since its author was debugging it. It check
windows titles for the strings “! Exit” or “! Restore”. If they are found, it
changes the windows title to “Type Exit Password” or “Type Restore Password”
respectively. Then The worm wait for the window to change its title to the
correct password, which was “M13Exit” to stop execution of the worm or
“M13Restore” to make it uninstall from the infected system.
Another command it was able to understand through this
method is “! ShowUsers” which made the worm generate a *.html file containing a
list of users it infected till that time.
downloads a text file from “http://91.[removed].122/Dialer_Min/number.asp”
“number.txt” contains a single high-cost phone number which is
randomly generated from a list.
The number is dialed if a modem is attached to your computer, thus inflating
your phone bill.
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Horea Coroiu
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021