Win32/Vercuser [Threat Name] go to Threat

Win32/Vercuser.B [Threat Variant Name]

Category worm
Size 337920 B
Detection created Sep 10, 2012
Signature database version 7462
Aliases Backdoor:.Win32/Vercuser.B (Microsoft)
Short description

Win32/Vercuser.B is a worm that spreads via removable media.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %temp%\­%variable1%%variable2%\­~temp~%variable3%iN.exe
  • %temp%\­hsperfdata_temp\­~temp~clear~%variable4%.exe
  • %systemdrive%\­Program%specialchar%Files\­Internet Explorer\­iexplore.exe
  • %systemdrive%\­Program%specialchar%Files\­Windows Defender\­MSASCui.exe
  • %programfiles%\­Windows%specialchar%Defender\­MSASCui.exe
  • %appdata%\­Program%specialchar%Files\­Internet Explorer\­iexplore.exe
  • %appdata%\­Program%specialchar%Files\­Windows Defender\­MSASCui.exe

The %variable1-4% represents a random number.


The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The worm may create the following files:

  • %startup%\­Temp_Cleaner.lnk
  • %startup%\­Windows%specialchar%Defender.lnk
  • %commonstartup%\­Windows%specialchar%Defender.lnk

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows%specialchar%Defender" = "%programfiles%\­Windows%specialchar%Defender\­MSASCui.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows%specialchar%Defender" = "%programfiles%\­Windows%specialchar%Defender\­MSASCui.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "ClearTemp" = "%temp%\­hsperfdata_temp\­~temp~clear~%variable4%.exe" /cleanup
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "SecurityUpdate%variable5%" = "%temp%\­%variable1%%variable2%\­~temp~%variable3%iN.exe" %specialchar% win
    • "ClearTemp" = "%temp%\­hsperfdata_temp\­~temp~clear~%variable4%.exe" /cleanup

This causes the worm to be executed on every system start.

Spreading

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • %drive%\­USB\­Data\­SecureDrive.exe

The worm creates the following file:

  • %drive%\­autorun.inf

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm may create the following files in the %drive% folder:

  • %variablename%.lnk

The %variablename% is one of the following strings:

  • 2012 Movies
  • 2013 Movies
  • 2012 Music
  • 2013 Music
  • 2013 Music Albums
  • 2012 Music Albums
  • Aishwarya Rai
  • Angelina jolie
  • Anti-Virus Installer
  • Bollywood
  • Celebrity Scandals
  • Copy of New Folder
  • Credit Card info
  • Banking passwords
  • Copy of Resume
  • Cute Girls
  • Do_Not_Open
  • Funny Animals
  • Funny People
  • Funny Videos
  • High Definition
  • HD Videos
  • HD Music Videos
  • Hollywood
  • Hot Celebrities
  • Funny Girls
  • Hot Girls
  • Hot Photos
  • Hot Videos
  • Hot Aishwarya
  • Hot Britney
  • Hot Wallpapers
  • Internet Business
  • Latest Hot
  • Music Videos
  • Make Money
  • Make Money Online
  • Marriage Photos
  • Most Wanted
  • Movies
  • MTV Videos
  • Music Albums
  • My Passwords
  • My Resume
  • New Photos
  • New Projects
  • New Wallpapers
  • New Folder (2)
  • New Folder - Copy
  • Passwords
  • Resume
  • Resume Latest
  • Resume Final
  • Project Works
  • Scanned Documents
  • Scanned Photos
  • Secret Data
  • Secret Files
  • Secret Folder
  • Softwares
  • Spicy Images
  • Tom Cruise
  • Top Hip Hop
  • Video Downloads
  • Videos
  • Copy of Videos
  • Wallpapers
  • Youtube Downloads
  • Youtube Funny
  • Youtube Videos

The file is a shortcut to a malicious file.

Other information

The worm may create the following files:

  • %appdata%\­~temp~%variable1%
  • %appdata%\­~temp~%variable2%.exe
  • %appdata%\­Program%specialchar%Files\­Internet Explorer\­con
  • %appdata%\­Program%specialchar%Files\­Internet Explorer\­lpt1
  • %appdata%\­Program%specialchar%Files\­Internet Explorer\­desktop.ini
  • %program_files%\­Internet Explorer\­ieinstal.dll
  • %systemdrive%\­Program%specialchar%Files\­Windows Defender\­desktop.ini
  • %systemdrive%\­Program%specialchar%Files\­desktop.ini
  • %systemdrive%\­Program%specialchar%Files\­Internet Explorer\­con
  • %systemdrive%\­Program%specialchar%Files\­Internet Explorer\­lpt1
  • %systemdrive%\­Program%specialchar%Files\­Internet Explorer\­desktop.ini
  • %systemdrive%\­$RECYCLE.BIN\­~DF%variable3%KB.tmp.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­$RECYCLE.BIN\­DC%variable3%.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­RECYCLER\­~DF%variable3%KB.tmp.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­RECYCLER\­DC%variable3%.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­*RECYCLE*\­~DF%variable3%KB.tmp.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­RECYCLER\­DC%variable3%.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­*RECYCLE*\­~DF%variable3%KB.tmp.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­*RECYCLE*\­DC%variable3%.exe (Win32/Poison.NAE, 8190 B)
  • %systemdrive%\­$RECYCLE.BIN\­~DF%variable4%KB.tmp.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­$RECYCLE.BIN\­DC%variable4%.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­RECYCLER\­~DF%variable4%KB.tmp.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­RECYCLER\­DC%variable4%.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­*RECYCLE*\­~DF%variable4%KB.tmp.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­RECYCLER\­DC%variable4%.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­*RECYCLE*\­~DF%variable4%KB.tmp.exe (Win32/Poison.AJQS, 8192 B)
  • %systemdrive%\­*RECYCLE*\­DC%variable4%.exe (Win32/Poison.AJQS, 8192 B)
  • %temp%\­~ix~data.dat
  • %temp%\­%variable5%
  • %temp%\­~security~update~%variable6%.log

A string with variable content is used instead of %variable1-5% .


The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "HideFileExt" = 1
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "DefaultValue" = 1
    • "CheckedValue" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­NOHIDDEN]
    • "CheckedValue" = 2
    • "CheckedValue" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 1
    • "DefaultValue" = 2
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
    • "CheckedValue" = 0
    • "DefaultValue" = 0
    • "UncheckedValue" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Connection Wizard]
    • "Completed" = 16777216
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Check_Associations" = "no"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • GlobalUserOffline = 0

The worm keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer]
    • "DownDir" = "%data1%"
    • "LastDir" = "%data2%"
    • "LastUpdate" = "%data3%"
    • "VersionCount" = "%data4%"
    • "WaitDir" = "%data5%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer]
    • "LastUpdate" = "%data6%"

The worm terminates its execution if it detects that it's running in a specific virtual environment.


The worm terminates itself if it detects any application with one of the following text in the window name:

  • WhatChanged
  • Blue Project Software SysTracer
  • SpyMe Tools
  • Regshot
  • Process Monitor
  • Autoruns
  • Registry Editor
  • ProcessActivityView
  • Process Monitor
  • Process Lasso
  • Process Explorer
  • Process Hacker
  • System Explorer
  • Yet Another (remote) Process Monitor
  • Yet Another Process Monitor
  • Task Manager
  • eXtended Task Manager
  • Extended Task Manager by Extensoft
  • Sandbox
  • BufferZone

The worm may delete the following files:

  • .\­AppData\­Local\­Microsoft\­Windows\­Temporary Internet Files\­Low\­Content.IE5\­*
  • .\­AppData\­Local\­Microsoft\­Windows\­Temporary Internet Files\­Content.IE5\­*
  • .\­AppData\­Locallow\­Microsoft\­Windows\­Temporary Internet Files\­Content.IE5\­*
  • .\­AppData\­Roaming\­Microsoft\­Windows\­Temporary Internet Files\­Content.IE5\­*
  • .\­AppData\­Roaming\­Microsoft\­Windows\­Temporary Internet Files\­Low\­Content.IE5\­*
  • .\­Local Setting\­Temporary Internet Files\­Content.IE5\­*
  • desktop.ini

The worm terminates processes with any of the following strings in the path:

  • \­000b09274b.exe
  • \­0cf48.exe
  • \­61a60\­we83b.exe
  • \­a-fast.exe
  • \­amvo.exe
  • \­ab\­abest.exe
  • \­ab\­installer.exe
  • \­active security\­asecurity.exe
  • \­advanceddefender.exe
  • \­advansed spyware detector\­asd.exe
  • \­adware_pro.exe
  • \­akm antivirus 2010 pro.exe
  • \­alphaav\­alphaav.exe
  • \­amg.exe
  • \­ams.exe
  • \­andromedaav.exe
  • \­angpd.exe
  • \­anti_troj.exe
  • \­antiadd.exe
  • \­antiaid software\­antiaid\­antiaid.exe
  • \­antikeep.exe
  • \­antimalware doctor.exe
  • \­antimalware\­antimalware.exe
  • \­antimalware_pro.exe
  • \­antimalwarepro.exe
  • \­antispy2008.exe
  • \­antispycheck 2.1.exe
  • \­antispycheck.exe
  • \­antispyshield.exe
  • \­antispyspider.exe
  • \­antispystorm.exe
  • \­antispyware pro.exe
  • \­antispyware-2008.exe
  • \­antispyware.exe
  • \­antispywarexp2009.exe
  • \­antitroy.exe
  • \­antivir.exe
  • \­antivir64.exe
  • \­antivirprotect.exe
  • \­antivirus 2009 plus.exe
  • \­antivirus antispyware 2011\­antivirus antispyware.exe
  • \­antivirus antispyware 2011\­securitymanager.exe
  • \­antivirus clean 2011\­avc2011.exe
  • \­antivirus clean 2011\­avservice.exe
  • \­antivirus-2008pro.exe
  • \­antivirus.exe
  • \­antivirus7.exe
  • \­antivirus\­antivirus.exe
  • \­antivirus\­wscsvc32.exe
  • \­antivirus_pro.exe
  • \­antivirusdoc.exe
  • \­antivirusgt.exe
  • \­antiviruslab2009.exe
  • \­antiviruspro2009.exe
  • \­antiviruspro_2010\­antiviruspro_2010.exe
  • \­antivirusprotection.exe
  • \­antivirusxp.exe
  • \­antvr.exe
  • \­antvrs.exe
  • \­apcdefender.exe
  • \­apcprotect.exe
  • \­apcsecure.exe
  • \­apg.exe
  • \­app1.exe
  • \­aps.exe
  • \­armordefender.exe
  • \­as2008xp.exe
  • \­asc 2.1.exe
  • \­ase.exe
  • \­asg.exe
  • \­asm.exe
  • \­asp2009.exe
  • \­asproxp.exe
  • \­aspyc.exe
  • \­astrum.exe
  • \­atnvrsinstall.exe
  • \­atofs.exe
  • \­av protection 2011v121.exe
  • \­av security 2012v121.exe
  • \­av.exe
  • \­av1i.exe
  • \­av2009.exe
  • \­av2009.exe
  • \­av360.exe
  • \­av8.exe
  • \­ava.exe
  • \­avcare.exe
  • \­ave.exe
  • \­avirtr.exe
  • \­avm.exe
  • \­avpc2009.exe
  • \­avs.exe
  • \­avt.exe
  • \­awola6.exe
  • \­axpdefender.exe
  • \­axpfixer.exe
  • \­b.exe
  • \­badware-protector.exe
  • \­blockdefense\­blockdefense.exe
  • \­blockdefense\­blockdefensesvc.exe
  • \­blockkeeper\­blockkeeper.exe
  • \­blockprotector\­blockprotector.exe
  • \­blockwatcher\­blockwatcher.exe
  • \­bm.exe
  • \­bytedefender.exe
  • \­c.exe
  • \­cbevtsvc.exe
  • \­ccagent.exe
  • \­cd2009.exe
  • \­chnb8895.exe
  • \­cleanator.exe
  • \­cleanator.exe
  • \­cln_2009freeinstall.exe
  • \­cloud av 2012v121.exe
  • \­cntprot.exe
  • \­contraviro.exe
  • \­coreguard 2009.exe
  • \­cs.exe
  • \­cu345d.exe
  • \­cwriter.exe
  • \­datahealer.exe
  • \­datprot.exe
  • \­defcnt.exe
  • \­defencecenter.exe
  • \­defendapc.exe
  • \­desktop defender 2010.exe
  • \­desktop defender 2010.exe
  • \­desktop security 2010.exe
  • \­desote.exe
  • \­digprot.exe
  • \­drguard.exe
  • \­driveguard.exe
  • \­e-set 2011\­e-set.exe
  • \­easyspywarecleaner.exe
  • \­expiorer.exe
  • \­expressav.exe
  • \­extraav.exe
  • \­f0e84.exe
  • \­fastav.exe
  • \­flashguard.exe
  • \­gdc.exe
  • \­gdcw.exe
  • \­genavir.exe
  • \­ghost.exe
  • \­ghostav.exe
  • \­greatdefender.exe
  • \­guardpcs.exe
  • \­gwr\­mradll.exe
  • \­gwr\­rwg.exe
  • \­hdrivesweeper.exe
  • \­homeantivirus2009.exe
  • \­homeantivirus2010.exe
  • \­homeav.exe
  • \­iapro.exe
  • \­iavir.exe
  • \­ieav.exe
  • \­iebtm.exe
  • \­ieupdates.exe
  • \­iguardpc.exe
  • \­infestopremover.exe
  • \­install_sbd_en.exe
  • \­installer_sbd_en.exe
  • \­insyssecure.exe
  • \­internetsecurity2010\­is2010.exe
  • \­iqmanager.exe
  • \­isafeav.exe
  • \­isass.exe
  • \­iv.exe
  • \­keepcop.exe
  • \­khatra.exe
  • \­krln32.exe
  • \­kvmsecure.exe
  • \­lastdefender.exe
  • \­linksafeness.exe
  • \­liveantispy.exe
  • \­livess.exe
  • \­lp339.exe
  • \­lphcjkrj0etfg.exe
  • \­lsascs.exe
  • \­lsm32.sys
  • \­lssas.exe
  • \­mainfavproj.exe
  • \­malware doctor.exe
  • \­malwaredef.exe
  • \­malwareremoval.exe
  • \­malwarewar 7.3.exe
  • \­mcatcher.exe
  • \­mdefense.exe
  • \­mediacodec.exe
  • \­mediasystem\­wmptray.exe
  • \­microsoft\­conhost.exe
  • \­microsoft\­network\­install.exe
  • \­minix32.exe
  • \­mpatrolpro.exe
  • \­mplay32xe.exe
  • \­ms345d.exe
  • \­msa.exe
  • \­msas2009.exe
  • \­msnix32.exe
  • \­mypcsecure.exe
  • \­nanoav.exe
  • \­onlineguard.exe
  • \­pam.exe
  • \­pas.exe
  • \­pav.exe
  • \­pbm.exe
  • \­pc defender\­antispyware.exe
  • \­pc defender\­proccheck.exe
  • \­pc scout\­pcscout.exe
  • \­pc security 2011\­pc2011.exe
  • \­pc-antispy.exe
  • \­pc339.exe
  • \­pc_antispyware2010.exe
  • \­pc_security2009.exe
  • \­pcam.exe
  • \­pcdefender.exe
  • \­pcoptimizer 2010\­pcoptimizer2010.exe
  • \­pcpc_starter.exe
  • \­pcprotection.exe
  • \­pcsprotector.exe
  • \­pcssecure.exe
  • \­pdefendr.exe
  • \­pdfndr.exe
  • \­personal guard 2009\­personalguard.exe
  • \­personalprotector.exe
  • \­pest-patrol.exe
  • \­pestsweeper.exe
  • \­pgs.exe
  • \­power-antivirus-2009.exe
  • \­prestotuneup.exe
  • \­privacy watcher.exe
  • \­privacyguard 2010\­privacyguard2010.exe
  • \­proantispy.exe
  • \­proas2009.exe
  • \­program files\­alggui.exe
  • \­program files\­av\­antivir.exe
  • \­program files\­avg antivirus 2011\­avg.exe
  • \­program files\­bitdefender 2011\­bitdefender.exe
  • \­program files\­milestone antivirus\­milestone antivirus.exe
  • \­program files\­svchost.exe
  • \­program files\­wpp.exe
  • \­proof defender 2009\­pdfndr.exe
  • \­protectdefender.exe
  • \­protectpcs.exe
  • \­protectshield\­protectshield.exe
  • \­protectsoldier.exe
  • \­psecurity.exe
  • \­psystem.exe
  • \­ptask.exe
  • \­ptlg.exe
  • \­pump.exe
  • \­pyroantispy.exe
  • \­quickhealcleaner.exe
  • \­quickhealcleanersvc.exe
  • \­quickinstallpack.exe
  • \­rapid antivirus.exe
  • \­raptordefence.exe
  • \­rdplatinumv5.exe
  • \­realav.exe
  • \­reanti.exe
  • \­registryclever.exe
  • \­registryclevertray.exe
  • \­registrydoctor.exe
  • \­regsvr.exe
  • \­renus.exe
  • \­respyware.exe
  • \­restore.exe
  • \­rhcnkrj0etfg.exe
  • \­rkgnd.exe
  • \­safefighter\­safefighter.exe
  • \­safety anti-spyware 3.exe
  • \­safetycenter\­new.exe
  • \­safetycenter\­protector.exe
  • \­safetycenter\­start.exe
  • \­safetykeeper\­safetykeeper.exe
  • \­safetykeeper\­safetykeepersvc.exe
  • \­sav.exe
  • \­savearmor\­savearmor.exe
  • \­savearmor\­savearmorsvc.exe
  • \­savedefender\­savedefender.exe
  • \­savedefendersvc.exe
  • \­savedefense\­savedefense.exe
  • \­savedefense\­savedefensesvc.exe
  • \­savekeep.exe
  • \­savekeeper\­savekeeper.exe
  • \­savekeeper\­savekeepersvc.exe
  • \­savesoldier\­savesoldier.exe
  • \­savesoldier\­savesoldiersvc.exe
  • \­sbmntr.exe
  • \­scan.exe
  • \­scit.exe
  • \­scvh0st.exe
  • \­scvhost.exe
  • \­scvhosts.exe
  • \­scvshosts.exe
  • \­sdra64.exe
  • \­se2010.exe
  • \­search and destroy.exe
  • \­sec.exe
  • \­securefighter\­securefighter.exe
  • \­securefighter\­securefightersvc.exe
  • \­securekeeper.exe
  • \­securepcav.exe
  • \­secureveteran\­secureveteran.exe
  • \­secureveteran\­secureveteransvc.exe
  • \­securewarrior\­securewarrior.exe
  • \­securewarrior\­securewarriorsvc.exe
  • \­security central.exe
  • \­security monitor\­security monitor.exe
  • \­security monitor\­securitymanager.exe
  • \­security2009.exe
  • \­securitycenter.exe
  • \­securityfighter\­securityfighter.exe
  • \­securityfighter\­securityfightersvc.exe
  • \­securitysoldier\­securitysoldier.exe
  • \­securitysoldier\­securitysoldiersvc.exe
  • \­seres.exe
  • \­sf2009.exe
  • \­WinDriveGuard.exe
  • \­sg345d.exe
  • \­shclkrj0etfg.exe
  • \­shieldsafeness\­shieldsafeness.exe
  • \­sichost.exe
  • \­siteadware.exe
  • \­sm345d.exe
  • \­smae0_2129.exe
  • \­smart antivirus-2009.exe
  • \­smartprotector.exe
  • \­smartsecurity.exe
  • \­smmservice.exe
  • \­smrtdefp.exe
  • \­smrtprt.exe
  • \­softbarrier\­softbarrier.exe
  • \­softcop\­softcop.exe
  • \­softsafeness\­softsafeness.exe
  • \­softsafeness\­softsafenesssvc.exe
  • \­softsoldier\­softsoldier.exe
  • \­softstronghold\­softstronghold.exe
  • \­softveteran\­softveteran.exe
  • \­spoclsv.exe
  • \­spp.exe
  • \­spydevastator.exe
  • \­spyfighter.exe
  • \­spyguarder.exe
  • \­spykillerpro.exe
  • \­spyware sweeper pro.exe
  • \­spywareguard.exe
  • \­spywarepro.exe
  • \­spywareremover.exe
  • \­spywareremover.exe
  • \­spywarescanner.exe
  • \­spywatche.exe
  • \­srcss.exe
  • \­ss2008.exe
  • \­ssqrm.exe
  • \­stmon.exe
  • \­stopingspy.exe
  • \­stopingspy.exe
  • \­strpmon.exe
  • \­svcst.exe
  • \­svohost.exe
  • \­svshost.exe
  • \­swiftcleanerscanner.exe
  • \­sysav.exe
  • \­sysclpro.exe
  • \­sysdefence.exe
  • \­sysdefenders.exe
  • \­sysguard.exe
  • \­sysguardn.exe
  • \­sysinternals antivirus.exe
  • \­sysprotector.exe
  • \­sysrep.exe
  • \­sysshield.exe
  • \­system32.exe
  • \­system32\­iesafemode.exe
  • \­system32\­system.exe
  • \­systemarmor.exe
  • \­systembooster2009.exe
  • \­systemcop\­systemcop.exe
  • \­systemcop\­systemcopsvc.exe
  • \­systemdb.exe
  • \­systemfighter\­systemfighter.exe
  • \­systemguard.exe
  • \­systemguardcenter.exe
  • \­systemveteran\­systemveteran.exe
  • \­systemwarrior\­systemwarrior.exe
  • \­temp\­notepad.exe
  • \­test_item.exe
  • \­the registry sentinel.exe
  • \­the web sentinel.exe
  • \­thedefend.exe
  • \­thespybot.exe
  • \­tipguard.exe
  • \­tmp\­dbsinit.exe
  • \­total pc defender.exe
  • \­total.exe
  • \­totalvirusprotection.exe
  • \­trustcop\­trustcop.exe
  • \­trustfighter\­trustfighter.exe
  • \­trustninja\­trustninja.exe
  • \­trustninja\­trustninjasvc.exe
  • \­trustsoldier\­trustsoldier.exe
  • \­trustwarrior\­trustwarrior.exe
  • \­trustwarrior\­trustwarriorsvc.exe
  • \­tsc.exe
  • \­u7.exe
  • \­ua2009.exe
  • \­uav.exe
  • \­ucln.exe
  • \­ucookw.exe
  • \­ugac.exe
  • \­ultraav.exe
  • \­unvirex.exe
  • \­upspdap.exe
  • \­urpprot.exe
  • \­usa.exe
  • \­usrprot.exe
  • \­valarm.exe
  • \­vav.exe
  • \­vec.exe
  • \­vh339.exe
  • \­virusisolator.exe
  • \­virusremover.exe
  • \­virusresponselab2009.exe
  • \­virustriggerbin.exe
  • \­vma.exe
  • \­vrm2008.exe
  • \­vrm2009.exe
  • \­vs83b.exe
  • \­vshield.exe
  • \­vsweep.exe
  • \­vur4.exe
  • \­w1nlogon.exe
  • \­wav.exe
  • \­wcs.exe
  • \­wdefdemo.exe
  • \­wdscan.exe
  • \­we345d.exe
  • \­websecurity\­services.exe
  • \­wi339.exe
  • \­win antivirus 2008.exe
  • \­win7 av.exe
  • \­winantispyware2008.exe
  • \­winantivirus.exe
  • \­winantivirusprosetup.exe
  • \­winav.exe
  • \­winavxx.exe
  • \­winbluesoft.exe
  • \­wincleaner.exe
  • \­windef.exe
  • \­windoptimizer.exe
  • \­windows\­addons\­addon.exe
  • \­windows\­addons\­ma2012.exe
  • \­windows\­ctfmon.exe
  • \­windows\­edefender.exe
  • \­windows\­fonts\­services.exe
  • \­windows\­install.exe
  • \­windows\­isvchost.exe
  • \­windows\­lsass.exe
  • \­windows\­odbns.exe
  • \­windows\­odbnsy.exe
  • \­windows\­services.exe
  • \­windows\­smss.exe
  • \­windows\­svc.exe
  • \­windows\­svchast.exe
  • \­windows\­svchasts.exe
  • \­windows\­svchost.exe
  • \­windows\­svchost.exe
  • \­windows\­svohost.exe
  • \­windows\­svw.exe
  • \­windows\­svx.exe
  • \­windows\­system.exe
  • \­windows\­system32\­minix32.exe
  • \­windows\­system32\­msiexecs.exe
  • \­windows\­system32\­rpcc.exe
  • \­windows\­vlc.exe
  • \­windows\­wdmon.exe
  • \­windows\­winlogon.exe
  • \­winflashguard.exe
  • \­wingamma.exe
  • \­winibluesoft.exe
  • \­winifighter.exe
  • \­winifixer.exe
  • \­winishield.exe
  • \­winishieldsvc.exe
  • \­winl0g0n.exe
  • \­winlogon32.exe
  • \­winprotector.exe
  • \­winsecurity360.exe
  • \­winspywareprotect.exe
  • \­winupdate86.exe
  • \­winwebsecurity.exe
  • \­winx security center.exe
  • \­winxdefender.exe
  • \­winxprotector.exe
  • \­wireshark antivirus.exe
  • \­wistaantivirus.exe
  • \­wmpscfgs.exe
  • \­ws339.exe
  • \­xjr antivirus.exe
  • \­xp-guard.exe
  • \­xp-guard.exe
  • \­xp-shield.exe
  • \­xp_antispyware.exe
  • \­xpa.exe
  • \­xpantivirus.exe
  • \­xpdefender.exe
  • \­xpdeluxe.exe
  • \­xplorer.exe
  • \­xppolice.exe
  • \­xpprotectioncenter.exe
  • \­xpsecuritycenter.exe
  • \­xpupdate.exe
  • \­xpyburner.exe
  • \­your pc protector.exe
  • \­zinaps7.exe
  • \­~.exe
  • antivirus\­treav.exe
  • police pro.exe
  • pro\­anti_files.exe

Then the worm deletes these files.


The worm contains a list of (18) URLs. The worm may attempt to download files from the Internet.


The files are then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.