When the worm is executed, it will make certain changes to
the registry to ensure it will be run on every system startup on the infected
machine. Next it will create the hidden file “C:boot.ini.ini” in which it will
write the current time and logged in user. Then it creates a copy of itself
inside the root directory of every accessible drive under the name
“ntdetect.exe” and create an autorun.inf file which point to the previously
In order to avoid antivirus detection it creates another
copy of itself in %windir%system32system.exe and continues execution from
that new location.
The new instance will perform the following actions every
rewrite the startup registry key
check if any of its files have been removed, in
which case it simply recreates them
make new copies of autorun.inf, boot.ini.ini and
ntdetect.exe on every drive
make changes to the registry so that hidden
files are not displayed, file extensions are not shown and system directories
are not searchable with windows explorer
In case the registry editor or the task manager are started
by the user, the worm immediately kills them by searching all opened window
titles that contain the strings “registry editor” or “windows task manager”. In
case a window with “folder options” is opened, it will minimize it and change
its title to “Registry error!”.
The worm has a tricky way of removing itself or stopping
execution, probably remnants since its author was debugging it. It check
windows titles for the strings “! Exit” or “! Restore”. If they are found, it
changes the windows title to “Type Exit Password” or “Type Restore Password”
respectively. Then The worm wait for the window to change its title to the
correct password, which was “M13Exit” to stop execution of the worm or
“M13Restore” to make it uninstall from the infected system.
Another command it was able to understand through this
method is “! ShowUsers” which made the worm generate a *.html file containing a
list of users it infected till that time.
downloads a text file from “http://91.[removed].122/Dialer_Min/number.asp”
“number.txt” contains a single high-cost phone number which is
randomly generated from a list.
The number is dialed if a modem is attached to your computer, thus inflating
your phone bill.
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Horea Coroiu