Virus Information

The virus comes packed with UPack and it is about 22KB in size. The virus uses a PNP exploit on port 445 to spread.

At startup, the virus disables (if present) the Windows XP SP2 firewall, registers itself with Windows to be run at every system startup and copies itself in the %SYSDIR% directory. Also, the virus will overwrite the DRIVERSETCHOSTS file, disabling the update of most antiviruses.

The virus has two major components: a FTP server and the "search and exploit" thread. First the virus starts the FTP server. It gets the IP of the current computer and masks out the first two components (for example: 192.168.0.1 is splitted in 192.168 and 0.1: the first two groups will remain constant, but the last two will be generated randomly to search for computers in the local area network). The virus will then "ping" the generated IP to see if indeed there is a computer there, and then it will try to exploit it. If the exploit is succesful, a Microsoft Batch File (.bat) will be dropped that will download via FTP the virus from the exploitings computer IP and start it on the victim computer.

The virus will send its current operational status via IRC to his creators channel (for example after a succesful exploit and infection) and also the virus will accept commands from its creator via IRC. It can also be updated via IRC/HTTP to a newer version.

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.