Detect Date 07/10/2012
Class Virus
Platform Win32

The virus infects files stored in the folders:

  • %system% (usually C:Windowssystem32)
  • %ProgramFiles% (usually C:Program Files)
  • Files in shared folders
  • Files on removable media, remote (network) disks and virtual disks (RAM), files prepared for the copying of CDs
  • The following files that certain registry keys contain links to:
    SoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper SoftwareMicrosoftInternet ExplorerExtensions SoftwareMicrosoftInternet ExplorerUrlSearchHooks SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApprov SoftwareClassesDirectoryShellExContextMenuHandlers
    SOFTWAREMicrosoftWindowsCurrentVersionApp Paths SOFTWAREMicrosoftWindowsCurrentVersionUninstall

If the file does not satisfy certain conditions, e.g. it is protected with SFC, is will not be infected.

It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm.

The virus can download additional encrypted modules from the control server, which are then executed in the infected system.

Please note

Several variants of this virus are known to exist. This description was written for a version current in August 2011.

Find out the statistics of the threats spreading in your region