The worm loads the .dll file to all active processes.
The worm also intercepts mouse and keyboard events if one of the processes listed below has been launched:
The worm harvests account data relating to the following games:
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
R2 (Reign of Revolution)
Harvested data is sent to the remote malicious user’s site.
The worm also modifies the following system registry key parameter values:
“CheckedValue” = “0”
“Hidden” = “2”
“ShowSuperHidden” = “0”
“NoDriveTypeAutoRun” = “0x91”
For example Worm.Win32.AutoRun.beot:
Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file). It is 47733 bytes in size. It is packed by FSG. Unpacked file size is about 160 Kb. It is written in Delphi.
Once launched, the worm copies its body to a system disk of a user’s computer.
To ensure that the copy created is launched automatically each time the system is rebooted, the following registry key is created:
The worm copies its body at all writable removable disks connected to the infected computer. The file “AutoRun.inf” is created together with a copy at the root of an infected disk. It provides for a copy to run each time a user opens an infected removable disk using “Explorer”.