Size:
Affected OS: Win NT-based
Packed by: -
- While starting up this virus opens the following files: %windir%\linkinfo.dll, %systemroot%\system32\drivers\nvmini.sys and temporary file %systemroot%\system32\drivers\IsDrv118.sys.
- Chases connection of new removeable drives and while connecting them, it creates files on them boot.exe and autorun.inf.
- This virus veils its occurence in infected system by hiding its specific files:
nvmini.sys
linkinfo.dll
autorun.inf
boot.exe
and also registry branches which contain substring "nvmini".
- Blocks driver's work (antirootkits and network filters):
ISPUBDRV
ISDRV1
RKREVEAL
PROCEXP
SAFEMON
RKHDRV10
NPF
IRIS
NPPTNT
DUMP_WMIMMC
SPLITTER
EAGLENT
- Analises import tables and blocks drivers which are working with
KeServiceDescriptorTable.
- Blocks working of the following libraries:
DLLWM.DLL
DLLHOSTS.DLL
NOTEPAD.DLL
RPCS.DLL
RDIHOST.DLL
RDFHOST.DLL
RDSHOST.DLL
LGSYM.DLL
RUND11.DLL
MDDDSCCRT.DLL
WSVBS.DLL
CMDBCS.DLL
RICHDLL.DLL
WININFO.RXK
WINDHCP.DLL
UPXDHND.DLL
- Injects its own library into Explorer.exe
- Waits for its updates in file %windir%\AppPatch\AcLue.dll
- Infects files on all disks, except system files which are protected with SFC or which are located in the following subfolders:
\QQ
\WINNT\
\WINDOWS\
LOCAL SETTINGS\TEMP\
- Does not infect files from this list:
zhengtu.exe
audition.exe
kartrider.exe
nmservice.exe
ca.exe
nmcosrv.exe
nsstarter.exe
maplestory.exe
neuz.exe
zfs.exe
gc.exe
mts.exe
hs.exe
mhclient-connect.exe
dragonraja.exe
nbt-dragonraja2006.exe
wb-service.exe
game.exe
xlqy2.exe
sealspeed.exe
asktao.exe
dbfsupdate.exe
autoupdate.exe
dk2.exe
main.exe
userpic.exe
zuonline.exe
config.exe
mjonline.exe
patcher.exe
meteor.exe
cabalmain.exe
cabalmain9x.exe
cabal.exe
au_unins_web.exe
xy2.exe
flyff.exe
xy2player.exe
trojankiller.exe
patchupdate.exe
ztconfig.exe
woool.exe
wooolcfg.exe
- Finishes the process of other malware:
sxs.exe
lying.exe
logo1_.exe
logo_1.exe
fuckjacks.exe
spoclsv.exe
nvscv32.exe
svch0st.exe
c0nime.exe
iexpl0re.exe
ssopure.exe
upxdnd.exe
wdfmgr32.exe
spo0lsv.exe
ncscv32.exe
iexplore.exe
iexpl0re.exe
ctmontv.exe
explorer.exe
internat.exe
lsass.exe
smss.exe
svhost32.exe
rundl132.exe
msvce32.exe
rpcs.exe
sysbmw.exe
tempicon.exe
sysload3.exe
run1132.exe
msdccrt.exe
wsvbs.exe
cmdbcs.exe
realschd.exe
- Attempts to distribute itself through local network, connecting as Administrator, while using the following passwords:
""
"admin"
"1"
"111"
"123"
"aaa"
"12345"
"123456789"
"654321"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"!@#$%^&*("
"!@#$%^&*()"
"qwer"
"admin123"
"love"
"test123"
"owner"
"mypass123"
"root"
"letmein"
"qwerty"
"abc123"
"password"
"monkey"
"password1"
In case of success this virus creates file setup.exe in root folder of disk C and downloads it from the distance.
- Attempts to copy other malicious programs with browser by default, e.g.:
Trojan.PWS.Gamania.4375,Trojan.PWS.Wow.632, Trojan.PWS.Legmir.1949
1. Disconnect infected computer from local network and/or from Internet and turn off System Recovery service.
2. Download free cure utility Dr.Web CureIt! from uninfected computer. Then copy it to external medium.
3. Restart infected computer in Safe Mode (F8 at Windows startup) and scan infected computer with >Dr.Web CureIt!. Apply "Cure" to all detected objects.
