Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe EngiNeer.EXE'
Creates the following files on removable media:
- <Drive name for removable media>:\O2.EXE
- <Drive name for removable media>:\P2.EXE
- <Drive name for removable media>:\M2.EXE
- <Drive name for removable media>:\N2.EXE
- <Drive name for removable media>:\S2.EXE
- <Drive name for removable media>:\T2.EXE
- <Drive name for removable media>:\Q2.EXE
- <Drive name for removable media>:\R2.EXE
- <Drive name for removable media>:\G2.EXE
- <Drive name for removable media>:\H2.EXE
- <Drive name for removable media>:\E2.EXE
- <Drive name for removable media>:\F2.EXE
- <Drive name for removable media>:\K2.EXE
- <Drive name for removable media>:\L2.EXE
- <Drive name for removable media>:\I2.EXE
- <Drive name for removable media>:\J2.EXE
- <Drive name for removable media>:\U2.EXE
- <Drive name for removable media>:\F3.EXE
- <Drive name for removable media>:\G3.EXE
- <Drive name for removable media>:\D3.EXE
- <Drive name for removable media>:\E3.EXE
- <Drive name for removable media>:\J3.EXE
- <Drive name for removable media>:\K3.EXE
- <Drive name for removable media>:\H3.EXE
- <Drive name for removable media>:\I3.EXE
- <Drive name for removable media>:\X2.EXE
- <Drive name for removable media>:\Y2.EXE
- <Drive name for removable media>:\V2.EXE
- <Drive name for removable media>:\W2.EXE
- <Drive name for removable media>:\B3.EXE
- <Drive name for removable media>:\C3.EXE
- <Drive name for removable media>:\Z2.EXE
- <Drive name for removable media>:\A3.Exe
- <Drive name for removable media>:\D2.EXE
- <Drive name for removable media>:\G1.EXE
- <Drive name for removable media>:\H1.EXE
- <Drive name for removable media>:\E1.EXE
- <Drive name for removable media>:\F1.EXE
- <Drive name for removable media>:\K1.EXE
- <Drive name for removable media>:\L1.EXE
- <Drive name for removable media>:\I1.EXE
- <Drive name for removable media>:\J1.EXE
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\eng.exe
- <Drive name for removable media>:\HACKED.txt
- <Drive name for removable media>:\ЗбЗОКСЗЮ.txt
- <Drive name for removable media>:\C1.EXE
- <Drive name for removable media>:\D1.EXE
- <Drive name for removable media>:\A1.exe
- <Drive name for removable media>:\B1.EXE
- <Drive name for removable media>:\M1.EXE
- <Drive name for removable media>:\X1.EXE
- <Drive name for removable media>:\Y1.EXE
- <Drive name for removable media>:\V1.EXE
- <Drive name for removable media>:\W1.EXE
- <Drive name for removable media>:\B2.EXE
- <Drive name for removable media>:\C2.EXE
- <Drive name for removable media>:\Z1.EXE
- <Drive name for removable media>:\A2.Exe
- <Drive name for removable media>:\P1.EXE
- <Drive name for removable media>:\Q1.EXE
- <Drive name for removable media>:\N1.EXE
- <Drive name for removable media>:\O1.EXE
- <Drive name for removable media>:\T1.EXE
- <Drive name for removable media>:\U1.EXE
- <Drive name for removable media>:\R1.EXE
- <Drive name for removable media>:\S1.EXE
Malicious functions:
Terminates or attempts to terminate
the following user processes:
- avgcc.exe
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '0031'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSetTaskbar' = '0031'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoControlPanel' = '0031'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoClose' = '0031'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '0031'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFileMenu' = '0031'
Modifies file system :
Creates the following files:
- C:\Autorun.inf
- C:\eng.exe
- C:\ЗбЗОКСЗЮ.txt
- %WINDIR%\EngiNeer.EXE
- C:\HACKED.txt
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\eng.exe
- <Drive name for removable media>:\Autorun.inf
- C:\eng.exe
- C:\Autorun.inf
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'System Restore'
- ClassName: '' WindowName: 'System Properties'
- ClassName: '' WindowName: 'Folder Options'
- ClassName: '' WindowName: 'Services'
- ClassName: 'ConsoleWindowClass' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'System Configuration Utility'
