Continued from our last post — Virus Encyclopedia vol. 1F.
It is a computer worm which can cause low-intensity damage to the data and files. It was first discovered in July 2010 when it affected thousands of computers worldwide. It is detected in presence of the following files.
- Presence of the file: “C:\Windows\system32\logon.exe”
- Presence of the registry key: “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell” with the value “Explorer.exe logon.exe”
- Presence of the files “autorun.exe” (copy of the malware) and “autorun.inf” on infected removable drives.
Once executed successfully, this worm creates a copy of itself at “C:\Windows\system32\logon.exe”.
It also modifies the registry key – “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell” with the value “Explorer.exe logon.exe.”
It executes the malware whenever the user logs in.
The worm is capable of injecting malicious codes into the memory used by various processes including “svchost.exe” and “explorer.exe.” Once it gets into the system it terminates its process so that it remains undetected.
After injecting itself into the system it starts spreading itself by copying itself on removable drives as “autorun.exe” file and in this way creates an “autorun.inf” file. These files contain various commands which run the worm on the machine to which the drive is attached.
It is a low-damaging malware which was first discovered in January 2010 when it infected thousands of PCs worldwide.
It is detected in the presence of the following file:
“%Documents and Settings%\%user name%\Application Data\*random name1*\*random name2*.exe”
Once executed successfully, this malware first creates a folder with a random name in “%Documents and Settings%\%user name%\Application Data\” and then starts copying itself into the newly created folder again with a random name.
Now it executes the newly created copy and then creates a batch file and simultaneously deletes the original file as well as the batch file. Now it starts injecting malicious codes in various running processes with the help of newly created process. After doing this it becomes capable of connecting to the internet and sending private data or downloading other malware programs. The entire process goes undetected by the user.
Once detected, this malware should be immediately removed from the PC to prevent damage of data and programs.
As the name itself suggests, it is a Trojan horse that intends to steal private important information and specific log-in information related to a variety of online games.
While stealing the information, the malware reaches to the following location:
<User’s documents and settings>\Local Settings\Temp\dsoqq.exe.
Here it sets an auto-run of the copy and thus adds a value called “dso32″ in the following registry key:
It is mostly detected by the presence of the dsoqq.exe and dsoqq0.dll files and the auto-run entry of dsoqq.exe onto the system. Moreover, the system might start performing slowly or it can create auto-run files on all the drives.
As suggested by the name itself, it is a backdoor virus which is scripted in Visual Basic and .NET and occupies around 100 KB of space. Unlike other malware it has been written in VB and .Net. The codes written in these languages are not native to certain architecture and CPU. These codes come within the category of intermediate language (IL) code which can be run by only those machines that are installed with .NET framework. It means that those computers not installed with .Net framework have no chances of becoming a victim of this Trojan.
It can be detected with the presence of the following files on the system:
Once detected, the user must consider removing them from the system to prevent damage to data and programs.