- Security Center
- English ▾
- Contact Us
Size: 41472 bytes
This is a malicious program which infects executive files.
Being run, the virus searches for the "svchost.com" file and deletes it from the root Windows catalogue:
Then, the virus creates a new "%WinDir%\svchost.com" file and copies its body to this file.
The virus modifies a value of the following system registry key parameter:
"(default)" = "%WinDir%\svchost.com "%1" %*"
Thus, once EXE-files run in the system, the virus runs as well. The virus body parameter is equal to the program name a User starts.
The virus creates a "directx.sys" file in the root Windows catalogue:
The virus writes paths to files the virus body will infect upon running.
To control its process uniqueness, in the system, the virus creates a unique identifier with the following name:
The virus performs a search and infects PE-EXE files on all logical disks found. With that, found files must meet the following criteria:
- The minimum file size must not be less than 41472 bytes and must not exceed 10000000 bytes;
- The file must be located neither on the logical disks (A, B) nor on CD-ROM;
- The file must be located neither in the root Windows catalogue (%WinDir%) nor in the Windows program catalogue (%ProgramFiles%).
The virus writes its body to the beginning of the file being infected and redirects the program entry point to the virus body. With that, a part of the original program file is being encrypted.
If the virus body runs with a parameter equal to the program name a User launches, then the program name is rendered as a parameter and its full path is located in the "%WinDir%\directx.sys" file for its further infection. File infection criteria listed above are met.
If an infected file runs (the file size exceeds 41472 bytes), after running the virus body, the virus decrypts a part of the original program file and executes the program restoring its original body which it had prior to infection.
If the virus cannot restore the original program body, then the restoring program file is written to the temporary catalogue of the current Windows user ("3582-490") with the original name:
Afterwards, the original file is executed.
The virus body contains the following strings:
To delete a malicious program, proceed through the steps listed below: