McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan when run will write the following files to the computer:
c:\autoexec.bat
c:\unlock.bat
c:\hdkiller.txt
c:\windows\regedit.exe
c:\windows\scanregv.exe
c:\windows\fonts\winfont.exe
c:\windows\system\delphi3.exe
c:\windows\system\donotrun.bat
c:\windows\system\lockup1.pwd
c:\windows\system\systrent.dll

The original file AUTOEXEC.BAT is renamed to AUTOEXE.BAT and a new AUTOEXEC.BAT is created. On reboot, it will do these actions:

* format c: /q /u
* display file hdkiller.txt
* create subdirectory "nasty" recursively, with message
"You're Gone @$$ hole!!!!" in infinite loop

The file "hdkiller.txt" contains the message between the lines:
-------------------------------------------------------
You have been hit by the madmax 
this program is also a madmax production 
 
Here is a message to all you but lickers. . . 
 
CHAMPION FENERBAHCE. 
 
If you were destroyed by this  program, then you would have 
deserved it. Die you mother f***ers!!!! 
-------------------------------------------------------

The original Windows file "REGEDIT.EXE" is deleted and a new file "REGEDIT.EXE" is written. It is a packaged file and when run, it creates and runs a batch file called "UNLOCK.BAT". This batch file is similar in instructions as the AUTOEXEC.BAT file and also creates the file "HDKILLER.TXT". The file "DELPHI3.EXE" is only a renamed "ATTRIB.EXE", and the file "SYSTRENT.DLL" is a renamed "VB40032.DLL".

The registry is modified with this information:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Loadwinfonts = %winbootdir%\fonts\winfont.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
ScanRegistry = C:\\WINDOWS\\scanregv.exe /autorun

The file "winfont.exe" is the locking component of the trojan, loading an interactive screen whereby the user must type in a password to unlock the system. The user is given a limited number of tries before unsuccessful attempts in all tries

Symptoms

Method of Infection

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan when run will write the following files to the computer:
c:\autoexec.bat
c:\unlock.bat
c:\hdkiller.txt
c:\windows\regedit.exe
c:\windows\scanregv.exe
c:\windows\fonts\winfont.exe
c:\windows\system\delphi3.exe
c:\windows\system\donotrun.bat
c:\windows\system\lockup1.pwd
c:\windows\system\systrent.dll

The original file AUTOEXEC.BAT is renamed to AUTOEXE.BAT and a new AUTOEXEC.BAT is created. On reboot, it will do these actions:

* format c: /q /u
* display file hdkiller.txt
* create subdirectory "nasty" recursively, with message
"You're Gone @$$ hole!!!!" in infinite loop

The file "hdkiller.txt" contains the message between the lines:
-------------------------------------------------------
You have been hit by the madmax 
this program is also a madmax production 
 
Here is a message to all you but lickers. . . 
 
CHAMPION FENERBAHCE. 
 
If you were destroyed by this  program, then you would have 
deserved it. Die you mother f***ers!!!! 
-------------------------------------------------------

The original Windows file "REGEDIT.EXE" is deleted and a new file "REGEDIT.EXE" is written. It is a packaged file and when run, it creates and runs a batch file called "UNLOCK.BAT". This batch file is similar in instructions as the AUTOEXEC.BAT file and also creates the file "HDKILLER.TXT". The file "DELPHI3.EXE" is only a renamed "ATTRIB.EXE", and the file "SYSTRENT.DLL" is a renamed "VB40032.DLL".

The registry is modified with this information:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Loadwinfonts = %winbootdir%\fonts\winfont.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
ScanRegistry = C:\\WINDOWS\\scanregv.exe /autorun

The file "winfont.exe" is the locking component of the trojan, loading an interactive screen whereby the user must type in a password to unlock the system. The user is given a limited number of tries before unsuccessful attempts in all tries

Symptoms
Symptoms - 

Method of Infection
Method of Infection - 

Removal - 
Removal - 
-
Variants
Variants - 

N/A