Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Cab' = '%PROGRAM_FILES%\Cab\Cab.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Fwsrv] 'ImagePath' = 'System32\Fws.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\BITS] 'ImagePath' = '%SystemRoot%\system32\svchost.exe -k netsvcs'
- [<HKLM>\SYSTEM\ControlSet001\Services\Fw] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Fwsrv] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
Creates and executes the following:
- %PROGRAM_FILES%\Cab\pesc.exe
- %TEMP%\Regini.exe
- %TEMP%\<Virus name> .exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\vo.pdf
- %TEMP%\Instdrv.exe
- <SYSTEM32>\zv.pdf
- <SYSTEM32>\vi.pdf
- %PROGRAM_FILES%\Cab\zv.pdf
- %PROGRAM_FILES%\Cab\fwset.exe
- %PROGRAM_FILES%\Cab\pesc.exe
- %PROGRAM_FILES%\Cab\vi.pdf
- %PROGRAM_FILES%\Cab\vo.pdf
- <SYSTEM32>\ftp2.exe
- C:\System Volume Information\tracking.log.tmp
- %PROGRAM_FILES%\Cab\Cab.exe
- %TEMP%\<Virus name> .exe
- <DRIVERS>\Repod.sys
- %TEMP%\Regini.exe
- <SYSTEM32>\fws.exe
- %TEMP%\fws.ini
- <DRIVERS>\Fw.sys
- %TEMP%\Fw.ini
Deletes the following files:
- %TEMP%\fws.ini
- %TEMP%\Instdrv.exe
- %TEMP%\<Virus name> .exe
- C:\System Volume Information\tracking.log.tmp
- %TEMP%\Regini.exe
- %TEMP%\Fw.ini
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
