|Detected||Aug 19 2011 10:33 GMT|
|Released||Jul 10 2012 10:34 GMT|
|Published||Aug 19 2011 10:33 GMT|
This polymorphic file virus infects Windows executable files (PE). When infecting files the virus uses an entry point obscuring (EPO) technique. The virus body in the infected file varies from 160 to 180 KB.
When the infected file is launched, the virus saves files with arbitrary names based on computer parameters in a Windows folder. The files contain encrypted information about the virus.
The virus infects files stored in the folders:
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Software\Microsoft\Internet Explorer\Extensions Software\Microsoft\Internet Explorer\UrlSearchHooks Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approv Software\Classes\Directory\ShellEx\ContextMenuHandlers Software\Classes\Folder\ShellEx\ContextMenuHandlers SOFTWARE\Classes\Protocol\Filter SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Classes\Applications SOFTWARE\Clients\StartMenuInternet SOFTWARE\Microsoft\Multimedia SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm. The virus can download additional encrypted modules from the control server, which are then executed in the infected system.
Several variants of this virus are known to exist. This description was written for a version current in August 2011.
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: