McAfee > Theat Center > Virus Detail Page

Overview

The worm attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun. The worm also infects Microsoft Word files.

Characteristics

As this detection covers many variants, the characteristics of this worm with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Upon execution, the worm attempts to infect Microsoft Word files by prepending itself to Word files found on the victim machines. Then it renames its filename extension from ".doc" to ".exe". When users runs the infected file, it opens a Word file appended while it runs its payload.

The worm also copies itself to the following locations:

•  %Windir%\winnt.exe
•  %Windir%\winsyst.exe
•  %Systemdir%\normal.dot
•  %Systemdir%\export\services.exe

The following registry keys are added:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "this free" =  %Windir%\winsyst.exe
  "vbwg cute" =  %Windir%\winnt.exe

The following registry keys are modified:

• HKEY_CLASSES_ROOT\.inf
  "(Default)" = "txtfile"
• HKEY_CLASSES_ROOT\.reg
  "(Default)" = "txtfile"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  "Hidden" = 2
  "HideFileExt" = 1
  "SuperHidden" = 1
  "ShowSuperHidden" = 0

The worm terminates applications whose title contains one of the following strings:

• anti
• application data
• command prompt
• compact
• compiler
• delphi
• detect
• hacker
• hijack
• killbox
• movzx
• process
• registry
• security
• superdat
• system32
• .task
• vbde
• visual
• virus
  

Symptoms

Existence of mentioned files and registry keys

Method of Infection

The worm spreads to removable drives by dropping the following files:

• [Drive]:\Thoojloi.exe (Copy of itself)
• [Drive]:\Autorun.inf

The worm also infects Microsoft Word files by prepending itself.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

The worm attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun. The worm also infects Microsoft Word files.

Characteristics

Characteristics -

As this detection covers many variants, the characteristics of this worm with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Upon execution, the worm attempts to infect Microsoft Word files by prepending itself to Word files found on the victim machines. Then it renames its filename extension from ".doc" to ".exe". When users runs the infected file, it opens a Word file appended while it runs its payload.

The worm also copies itself to the following locations:

•  %Windir%\winnt.exe
•  %Windir%\winsyst.exe
•  %Systemdir%\normal.dot
•  %Systemdir%\export\services.exe

The following registry keys are added:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "this free" =  %Windir%\winsyst.exe
  "vbwg cute" =  %Windir%\winnt.exe

The following registry keys are modified:

• HKEY_CLASSES_ROOT\.inf
  "(Default)" = "txtfile"
• HKEY_CLASSES_ROOT\.reg
  "(Default)" = "txtfile"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  "Hidden" = 2
  "HideFileExt" = 1
  "SuperHidden" = 1
  "ShowSuperHidden" = 0

The worm terminates applications whose title contains one of the following strings:

• anti
• application data
• command prompt
• compact
• compiler
• delphi
• detect
• hacker
• hijack
• killbox
• movzx
• process
• registry
• security
• superdat
• system32
• .task
• vbde
• visual
• virus
  

Symptoms

Symptoms -

Existence of mentioned files and registry keys

Method of Infection

Method of Infection -

The worm spreads to removable drives by dropping the following files:

• [Drive]:\Thoojloi.exe (Copy of itself)
• [Drive]:\Autorun.inf

The worm also infects Microsoft Word files by prepending itself.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A