When started, the malware drops one of its componentes into the folder:
%%PROGRAM FILES%%\common files\microsoft shared\web folders
After this, it will set the timestamp information of the newly created file to the one of the system's notepad.exe and will save the path to the original infected file into:
then it will spawn the dropped component. Such component will proceed in acquiring enough privileges to perform its duties, then it will create a service called "Hello World!". After this, it will spawn an hidden instance of Internet Explorer and copy the file:
and spawn an hidden instance of it.
The two spawned programs are used to perform the actual malicious behaviour: in fact the malware, before termination, will create a remote thread in each program, with different purposes.
The remote thread created in the Internet Explorer process is responsible for downloading an updated version of the malware, along with an additional malware package, that is unpacked and launched by the other thread.
The remote thread created in the notepad/svchost process is used to perform the actual file infection. It will first replace the original infection vector with a clean version of the same file, and then lauch it to trick the user into thinking that everything is normal. After this, it will proceed in unpacking the malware package downloaded by the other thread, and will launch all the resulting malwares. After this, it will start recursing the available drives on the local machine,network and removable devices to find files suitable for infection, and infect them.
Running an infected file will directly infect files over local drives, network drives and removable drives.
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner such as: