Win32/Botvoice [Threat Name] go to Threat

Win32/Botvoice.A [Threat Variant Name]

Category trojan
Size 20992 B
Aliases Trojan.Botvoice (Symantec)
  Trojan.Win32.KillFiles.ms (Kaspersky)
  Del-520 (McAfee)
Short description

Win32/Botvoice.A is a trojan that deletes files in specific folders. The file is run-time compressed using ASPack .

Installation

When executed the trojan drops in folder

  • %appdata%\­Microsoft\­Speech\­Files\­UserLexicons\­

the following file:

  • SP_%variable%.dat (940 B)

The %variable% represents a random number.


The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­comfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­piffile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­batfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­vbsfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­jsfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­htmlfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­htmfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­mp3file\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­jpgfile\­shell\­open\­command]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CLASSES_ROOT\­service\­CLSID]
    • "(Default)" = ":: Win32\­Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Speech\­CurrentUserLexicon]
    • "(Default)" = "Current User Lexicon"
    • "CLSID" = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"
    • "FlushRate" = 10
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Speech\­CurrentUserLexicon\­{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\­Files]
    • "Datafile" = "%1a%\­Microsoft\­Speech\­Files\­UserLexicons\­SP_%variable%.dat"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableTaskMgr" = 1

The modified Registry entries will prevent specific files from being opened.

Other information

The following programs are terminated:

  • explorer.exe
  • msnmsgr.exe

The trojan may delete files stored in the following folders:

  • C:\­
  • %windir%
  • %windir%\­ServicePackFiles\­i386\­
  • %windir%\­$NtServicePackUninstall$\­
  • %My Video%
  • %My Pictures%
  • %My Music%
  • %Personal%
  • %Desktop%

The trojan may display a dialog box with the title:

  • Bea TkMmMmMmM

The dialog box contains the following text:

  • I ProMise ... I Will Love YoU AlWayS BEa!

The trojan uses Microsoft Speech technology.


It may play the following text in a spoken voice:

  • You has been infected I repeat You has been infected and your system files has been deletes. Sorry Have a Nice Day and bye bye

The trojan blocks keyboard and mouse input.

Please enable Javascript to ensure correct displaying of this content and refresh this page.