/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:”Times New Roman”;
mso-bidi-font-family:”Times New Roman”;
piece of rogue software is promoting “System Security”. When executed, the
application creates a copy of itself in %appdata%[random].exe, where [random] is an 8 digit random number. It registers this executable to run at system
startup by making changes to the registry and then deletes itself using the
batch self-delete technique.
e-threat is executed at startup, it will mimic a full system scan alerting the
user of numerous infections. All of them
are fake and have only one purpose: make the victim buy the product to “clean”
executed, the worm makes a copy of itself in %temp%svchost32.exe and registers
the executable to run at system startup.
uses two distinct methods to spread. The first is the autorun.inf method. It
creates copies of itself in the root folder of every local drive, network drive
and removable drive along with an autorun.inf file which points to the executable.
spreading routine is by using instant messengers like Skype, Yahoo! Messenger,
Windows Live Messenger, AIM and ICQ. It
searches for opened windows of these applications and filters data (user
accounts) from several zones of interest: input boxes, lists, sub-windows. The
it will try sending a copy of itself to the user with the name
MichaelJackson_WTF.pif. It accomplishes this by
mimicking mouse and keyboard actions.
in this article is available courtesy of BitDefender virus researchers: Marius
Vanta and Ovidiu Visoiu