Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'schedl' = '%WINDIR%\Help\schedl.exe'
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Startup.exe
Creates the following files on removable media:
- <Drive name for removable media>:\D.exe
Malicious functions:
Creates and executes the following:
- %WINDIR%\Help\schedl.exe
Modifies file system :
Creates the following files:
- %WINDIR%\WINDOWS.exe
- %ALLUSERSPROFILE%\Documents\My Music\My Music.exe
- %PROGRAM_FILES%\Program Files.exe
- C:\RECYCLER\RECYCLER.exe
- %ALLUSERSPROFILE%\Documents\My Pictures\My Pictures.exe
- %HOMEPATH%\My Documents\My Music\My Music.exe
- %HOMEPATH%\My Documents\My Pictures\My Pictures.exe
- %ALLUSERSPROFILE%\Documents\My Videos\My Videos.exe
- %HOMEPATH%\My Documents\Downloads\Downloads.exe
- <Auxiliary element>
- C:\C.exe
- %HOMEPATH%\My Documents\My Ducuments.exe
- %WINDIR%\Help\schedl.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\Programs.exe
- <Current directory>\af32d3b0.exe
- C:\Documents and Settings\Documents and Settings.exe
- %ALLUSERSPROFILE%\Start Menu\Start Menu.exe
- %ALLUSERSPROFILE%\Desktop\Desktop.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\Help\schedl.exe
Deletes the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Startup.exe
- %TEMP%\~DFCB37.tmp
