|Detected||Oct 29 2009 14:07 GMT|
|Released||Jan 09 2013 12:15 GMT|
|Published||Oct 29 2009 14:07 GMT|
This file virus infects Windows executable files. It is a malicious code contained in Windows PE EXE files. The virus body is about 17 Kb, though the use of polymorphic encryption means its size may vary.
The virus injects its code into the address spaces of all the processes running in the system. The injected code intercepts the following system functions in the ntdll.dll library:
NtCreateFile NtCreateProcess NtCreateProcessEx NtOpenFile NtQueryInformationProcessUsing these system functions, the virus tracks files that are opened and any applications launched for execution. When the virus detects a new process being launched or an executable file being opened, it infects it. Files with .EXE and .SCR extensions are infected. These files are Windows (PE EXE) applications. The virus does not infect files with names containing any of the following strings: “WINC”, “WCUN”, “WC32”, “PSTO”. When infecting a file, the virus expands the PE section and writes its own polymorphic body into it. It then modifies the program’s entry point so that it leads to the virus code.
The virus adds the executable file of the host process to the Windows firewall list of trusted applications.
Then it disables the “Restore system files” function.
The virus attempts to contact the following IRC servers:
prox*****ircgalaxy.pl irc*****ef.plIf a connection is established, the virus sends the following commands to the server:
NICK dewxxpyi USER b JOIN #.<rnd1>, where rnd1 is a random number.Then the virus enters standby mode, ready to receive commands from the malicious IRC server and execute them.
The virus is capable of executing the following commands:
The virus also scans the victim computer’s hard drive for files with the following extensions:
HTM PHP ASPIf found, it adds the following string into them:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version).
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: