- Ad-Aware Free Antivirus+
- Ad-Aware Personal Security
- Ad-Aware Pro Security
- Ad-Aware Total Security
- Ad-Aware Business Security
- PC Tuneup
- Data Security
- Trial Center
- Security Center
- English ▾
- Contact Us
Size: The virus is polymorphic, which accounts for the varying size.
It is a malicious program that infects executable files.
The virus injects its code into the address space of all the processes running on the system. The injected code adds system interceptors to the following functions of the ntdll.dll library:
The virus uses these interceptors to watch over files and applications. Once a process is run and/or an executable file is open, the virus infects it.
The virus infects Windows PE-EXE files with the following extensions:
The virus does not infect files containing the following strings in the name:
During infection, the virus expands the last PE-section of the file being infected and writes its polymorphic body there. It then redirects the program entry point to its body.
In addition, the virus starts scanning all logical drives for files with the following extensions:
and adds to them the following string:
<iframe src="<url, from which an updated antivirus version is downloaded >/" width=1 height=1 style="border:0"></iframe>
Being activated, the virus adds process executable file it works in to the list of trusted Windows Firewall applications by adding the following registry key:
"<path_to_the_infected_file>"="< path_to_the_infected_file >*:enabled:@shell32.dll,-1"
To disable Windows file protection, the virus uses undocumented function of the "sfc_os.dll" library.
The virus tries to connect to the following IRC intruder servers:
If it succeeds, it sends the following commands to the server:
JOIN #.<rnd1>, где rnd1 – random number
The virus then waits for commands from the IRC server.
The virus supports the following commands:
It allows downloading malicious files, storing them in the current user’s temporary folder and launching them for execution.
On the PC, the virus opens URL indicated by the intruder.
The virus makes attempts to connect to one of the intruder servers which domain name is formed according to the special algorithm, as follows:
Servers did not work when the description was created.
The virus adds the following registry key:
"ProxyEnable" = "0"
In addition, the virus blocks access to websites that have any the following strings in their domain name:
Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).