This is a Worm virus. It spreads through the peer-to-peer network Kazaa. Additionally, it performs some spying functions, gathering data on certain games installed on the affected PC. This worm is a Windows application (PE EXE-file). It is written in Visual C, and its size is 196 608 bytes.
During installation the worm produces the following false error message concerning the archive extraction:
Subsequently it writes itself into the Windows directory under the following name:
This installation of the worm is then registered in the auto run key within the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SVCHOST = %WindowsDir%mrowyekdc.exe
The worm creates a folder named “User Files” in the Windows directory and writes itself into it under the following names:
This folder is then noted in the Windows system registry as Local Content for the file exchange network Kazaa:
HKCUSoftwareKazaaLocalContent dir0 = 012345:%Windir%User Files DisableSharing = "0
As a result, the files contained in this folder become available for download to other users of P2P networks.
The worm checks the system registry for keys relating to popular computer games (Counter Strike, Diablo, Warcraft, Starcraft) and sends gathered data to the worm’s “owner” using an SMTP-server connection.
The worm checks the system’s date and time. If the month of the worm’s activation is earlier than August it ceases performing its functions and deletes all its entries in the system registry.