This Trojan is written in Assembler, and is not packed in any way. The file is 8,192 bytes in size.
If the Trojan is launched from a directory other than %Windir%, the following error message will be displayed:
Once launched, the Trojan copies itself to the Windows system directory as “pic.exe”:
It then adds the string pic.exe to the load key in win.in:
The Trojan then creates 1500 folders in the Windows directory with names composed of zeros, ones, twos, threes, fours and fives.
The Trojan contains the following strings:
Macur-Copyright 1998-1999. 17 Apr 1999, ***firstname.lastname@example.org, ICQ# **216706
|Find out the statistics of the threats spreading in your region|