Win32/Botvoice [Threat Name] go to Threat
Win32/Botvoice.A [Threat Variant Name]
| Category | trojan |
| Size | 20992 B |
| Aliases | Trojan.Botvoice (Symantec) |
| Trojan.Win32.KillFiles.ms (Kaspersky) | |
| Del-520 (McAfee) |
Short description
Win32/Botvoice.A is a trojan that deletes files in specific folders. The file is run-time compressed using ASPack .
Installation
When executed the trojan drops in folder
- %appdata%\Microsoft\Speech\Files\UserLexicons\
the following file:
- SP_%variable%.dat (940 B)
The %variable% represents a random number.
The following Registry entries are set:
- [HKEY_CLASSES_ROOT\exefile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\comfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\piffile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\batfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\vbsfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\jsfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\htmfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\mp3file\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\jpgfile\shell\open\command]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CLASSES_ROOT\service\CLSID]
- "(Default)" = ":: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::"
- [HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon]
- "(Default)" = "Current User Lexicon"
- "CLSID" = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"
- "FlushRate" = 10
- [HKEY_CURRENT_USER\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files]
- "Datafile" = "%1a%\Microsoft\Speech\Files\UserLexicons\SP_%variable%.dat"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 1
- "DisableTaskMgr" = 1
The modified Registry entries will prevent specific files from being opened.
Other information
The following programs are terminated:
- explorer.exe
- msnmsgr.exe
The trojan may delete files stored in the following folders:
- C:\
- %windir%
- %windir%\ServicePackFiles\i386\
- %windir%\$NtServicePackUninstall$\
- %My Video%
- %My Pictures%
- %My Music%
- %Personal%
- %Desktop%
The trojan may display a dialog box with the title:
- Bea TkMmMmMmM
The dialog box contains the following text:
- I ProMise ... I Will Love YoU AlWayS BEa!
The trojan uses Microsoft Speech technology.
It may play the following text in a spoken voice:
- You has been infected I repeat You has been infected and your system files has been deletes. Sorry Have a Nice Day and bye bye
The trojan blocks keyboard and mouse input.