Win32/Ridnu [Threat Name] go to Threat
Win32/Ridnu.NAA [Threat Variant Name]
| Category | worm |
| Size | 138360 B |
| Aliases | Email-Worm.Win32.Ridnu.f (Kaspersky) |
| W32/Ridnu (McAfee) | |
| W32.Ridnu.B (Symantec) |
Short description
Win32/Ridnu.NAA is a worm that spreads via e-mail. The worm may terminate specific running processes. The file is run-time compressed using tElock .
Installation
When executed the worm copies itself in the following locations:
- %drive%\Mr_CoolFace.scr
- %drive%\Mr_CF\Mr_CF.exe
- %system%\%variable%.exe
- %system%\Mr_CoolFace.scr
- %system%\msvbvm60.dll
- %windir%\Negeri Serumpun Sebalai .pif .bat .com .scr .exe
- %userprofile%\Local Settings\Temp\inf4D2.tmp
- %userprofile%\Local Settings\DNALSI_AKGNAB.exe
- %userprofile%\Local Settings\DNALSI_AKGNAB.exe.mutant
- %userprofile%\Local Settings\Mr_CF_Mutation.Excalibur
- %userprofile%\Desktop\Message For My Princess.txt
- %userprofile%\Desktop\Message For My Princess.scr
- %userprofile%\Application Data\explorer.exe
- %userprofile%\Application Data\Mr_CoolFace.exe
- %userprofile%\Application Data\SMA Negeri 1 Pangkalpinang.exe
- %userprofile%\Start Menu\Programs\Startup\winlogon.exe
- C:\explorer.exe
%variable% represents a random text.
The worm creates the following files:
- C:\Mutant.htm
- %userprofile%\Application Data\Mr_CF\Folder.htt
- %userprofile%\Application Data\Mr_CF\Desktop.ini
- %userprofile%\Local Settings\Application Data\Polymorph1.exe
- %userprofile%\Local Settings\Application Data\Polymorph2.exe
- %userprofile%\Application Data\Autorun.inf
The worm may create copies of itself using the following filenames:
- %allusersprofile%\Documents\Pantai Pasir Padi.scr
- %allusersprofile%\Documents\Bangka Island.scr
- %allusersprofile%\Documents\Pangkalpinang.scr
- %allusersprofile%\Documents\Pantai Parai.scr
- %allusersprofile%\Documents\Tanjung Pesona.scr
- %allusersprofile%\Documents\Lapangan Merdeka.scr
- %allusersprofile%\Documents\Sahang dan Timah.scr
The worm randomly inserts a copy of itself or text strings into the following files:
- %userprofile%\Application Data\Mutant.exe
- %userprofile%\Application Data\Sahang.exe
- %userprofile%\Application Data\Timah.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%system%\userinit.exe, C:\explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "explorer.exe C:\explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%name%" = "%variable%.exe"
%name%, %variable% represent random text.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
- "CheckedValue" = 2
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
- "DefaultValue" = 2
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
- "CheckedValue" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
- "DefaultValue" = 2
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
- "CheckedValue" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
- "DefaultValue" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "CheckedValue" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "DefaultValue" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "UncheckedValue" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideFileExt" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
- "FullPath" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
- "FullPathAddress" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
- "DisableConfig" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
- "DisableSR" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
- "(Default)" = "File Folder"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile]
- "(Default)" = "File Folder"
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "SCRNSAVE.EXE" = "MR_COO~1.SCR"
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "ScreenSaverIsSecure" = 0
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- "ScreenSaveTimeOut" = 60
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Start Page" = "C:\Mutant.htm"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
- "AlternateShell" = "C:\explorer.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
- "AlternateShell" = "C:\explorer.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]
- "AlternateShell" = "C:\explorer.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot]
- "AlternateShell" = "C:\explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.EXE]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV32.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV.exe]
- "Debugger" = "C:\Explorer.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe]
- "Debugger" = "C:\Explorer.exe"
Spreading
The worm copies itself into the root folders of fixed and/or removable drives using the following names:
- %drive%\Mr_CoolFace.scr
- %drive%\Mr_CF\Mr_CF.exe
- %drive%\Beautiful Lady.scr
The worm creates the following files:
- %drive%\Autorun.inf
- %drive%\Mr_CF\Folder.htt
The worm searches local drives for files with the following file extensions:
- .Exe
- .exe
- .scr
- .PNG
- .png
- .SWF
- .swf
- .GIF
- .gif
- .BMP
- .bmp
- .BAT
- .bat
- .INF
- .inf
- .TXT
- .txt
- .RAR
- .rar
- .ZIP
- .zip
- .MDB
- .mdb
- .XLS
- .xls
- .PPT
- .ppt
- .HTML
- .html
- .HTM
- .htm
- .Avi
- .AVI
- .avi
- .3Gp
- .3GP
- .3gp
- .Mpg
- .MPG
- .mpg
- .MIDI
- .Midi
- .midi
- .Wmv
- .WMV
- .wmv
- .Wma
- .WMA
- .wma
- .Mp4
- .MP4
- .mp4
- .Mp3
- .MP3
- .mp3
- .Mid
- .MID
- .mid
- .Doc
- .DOC
- .doc
- .Mov
- .MOV
- mov
- .Jpeg
- .JPEG
- .jpeg
- .Rtf
- .RTF
- .rtf
- .Jpg
- .JPG
- .jpg
When the worm finds a file matching the search criteria, it creates a new copy of itself.
The name of the new file is based on the name of the file found in the search.
The extension of the file is ".scr" .
Spreading via e-mail
The worm gathers e-mail addresses for further spreading from the e-mails stored locally.
Subject of the message is one of the following:
- Ketika Rindu bertemu Kangen
- Lama Tak Jumpa
- Ketika Kangen bertemu Rindu
- I miss U
- Still Remember???
- Please Remember Me.
- I Miss You So Much !
- Shall I Be The One For You ?
- Don't Forget Me,please!
- Remember Our Past?
- Rindu Yang Tak Tertahankan
- Please Come Back!
- I don't wish to lost you again!
- Malarindu Tropikangen
- Re:
Body of the message is one of the following:
The attachment is an executable of the worm.
Its filename is one of the following:
- Rindu dan Kangen bersatu.txt .pif
- Kangen dan Rindu bersatu.tmp .pif
- SweetMemory.doc .pif
- Friend Reminder.doc .exe
- www.lovestory.com
- MyMind.doc .pif
- CuteGame3.0 Installer.com
- LoveGame.bmp .exe
- My_Beloved.doc .exe
- Love_U_So_Much.txt .pif
- Our_Memory.ppt .pif
- I_Miss_U.doc .pif
- Rindu.doc .exe
- Kenangan Cinta.doc .pif
- Beauty ScreenSaver.scr
- Keygen.exe
- Data.doc .pif
- Tutorial.ppt .pif
- Crack.exe
- Mahasiswi Cantik.scr
- MindMap.exe
- NetMeeting.com
- Namo7.0_Installer.com
- www.Hacking_Tool.bat
Other information
The worm blocks keyboard and mouse input.
If the worm worm finds a window of a running process which contains any of the following strings in its title:
- Notepad
- NOTEPAD
- UNTITLED
the worm worm changes the window title to:
- Message For My Princess
The worm may insert any of the following text strings into edit controls of the running process:
- DEAR MY PRINCESS
- WHEN THE STARS FILL THE SKY I WILL MEET YOU MY LOVELY PRINCESS
- I MISS YOU SO MUCH MY PRINCESS
- IN MY DEAREST MEMORY I SEE YOU REACHING OUT TO ME
- I WILL REMEMBER YOU AS LONG AS YOU REMEMBER ME
- IN YOUR DEAREST MEMORY DO YOU REMEMBER LOVING ME
- PLEASE DO NOT FORGET OUR PAST
- DID YOU KNOW THAT I HAD MIND ON YOU
- I NEVER WISH TO LOSE YOU AGAIN
- SHALL I BE THE ONE FOR YOU
- I WANNA TAKE YOU TO MY PALACE
- I WILL TAKE YOU TO OUR UTOPIA
- I AM FALLING IN LOVE WITH YOU
- I WILL BE WAITING FOR YOU
- I DO NOT WANT TO SAY GOOD BYE TO YOU
- PLEASE DO NOT FORGET YOUR PRINCE
- I SAW YOU SMILING AT ME WAS IT REAL OR JUST MY FANTASY
- YOU WILL ALWAYS IN MY HEART
- YOU ALWAYS IN MY DREAMS
- I ALWAYS SEE YOU IN MY DREAMS
- I HAVE BEEN POISONED BY YOUR LOVE
- I MISS YOU I AM STILL LOOKING FOR YOU
- I WILL BE THERE I WILL BE WAITING FOR YOU
- PLEASE COME BACK TO OUR BEAUTY ISLAND
- I MISS YOUR CUTE SMILE
If the worm worm finds a window of a running process which contains any of the following strings in its title:
- MY DOCUMENTS
- FREECELL
- HEARTS
- MINESWEEPER
- PINBALL
- SOLITAIRE
the worm worm changes the window title to:
- Mr_CoolFace
If the worm worm finds a window of a running process which contains any of the following strings in its title:
- COPYING..
the worm worm changes the window title to:
- Sedang Mengopy...
If the worm worm finds a window of a running process which contains any of the following strings in its title:
- MOVING..
the worm worm changes the window title to:
- Sedang Memindahkan...
If the worm worm finds a window of a running process which contains any of the following strings in its title:
- DELETING..
the worm worm changes the window title to:
- Sedang Menghapus...
If the worm worm finds a window of a running process which contains any of the following strings in its title:
- RUN
- CREATE NEW TASK
the worm worm changes the window title to:
- Mr_CoolFace Has Come !
The worm may insert any of the following text strings into edit controls of the running process:
- MR COOLFACE !
The worm terminates any program that creates a window containing any of the following strings in its name:
- ANTI
- VIRUS
- SPIDER
- VIROLOG
- TROJAN
- WORM
- MALWARE
- TWEAK
- POWERDVD
- HIJACK
- SECURITY TASK
- PCMAV
- HACKER
- VAKSIN
- NORMAN
- NVC
- ZANDA
- MCAFEE
- AVG
- AVP
- EXTENSION TEST
- RESULT DETAIL
- SCANNING STATISTIC
- KASPERSKY
- SYMANTEC
- TREND
- SECUNIA
- REGISTRY
- OPTIX PRO
- FORCE
- PANDA
- F-SECURE
- SOPHOS
- CASTLECOP
- QKILL
- COMPACTBYTE
- EARTHLINK PROTECTION
- ERTANTO
- YOHAN
- WASHER
- NORTON
- PROCEXP
- MMC
- GRISOFT
- REGCURE
- AVAS
- CILIN
- MACHINE
- REMOVER
- REMOVI
- REMOVA
- ABLE
- SPYWARE
- BITDEF
- CLEANER
- REALPLAYER
- JAMILA
- PROCESS VIEWER
- PROCESS EXPLORER
- SYSINTERNAL
- IKNOW
- I KNOW
- TASK MANAGER
- TASKMANAGER
- TASKS MANAGER
- TASKGUARDIAN
- SPY
- MIGHTY CHICKEN
- MIGHTYCHICKEN
- WINPATROL
- WAV V
- POWERTOOL
- POWER TOOL
- TASK
- PROCESS MANAGER
- PROCESSMANAGER
- WINTASK
- WIN TASK
- LUKE FILEWALKER
- ANVIR
- AVIRA
- TASKINFO
- TASK INFO
- PROCESSMONITOR
- PROCESS MONITOR
- PROCESSINFO
- PROCESS INFO
- CURRPROCESS
- CURR PROCESS
- PCSUMMARIZER
- CHRIS PC
- NOTESXP
- STARTUP ORGANIZER
- SIKUP
- REGFIX
- REG FIX
- FLAMMING WALL
- AD-AWARE
- BLACKICE
- POP3TRAP
- COMMAND BRO
- BACA BRO
- ZXI
- ZX1
- ZX I
- ZX 1
- ZX_I
- ZX_1
- GEOBLACK
- IDIOT
- IDI0T
- PUSHM
- PUSH M
- PUSH_M
- ADHIE
- MACAN
- AD HIE
- AD_HIE
- EVANTA
- FAJAR
- CUEX
- JOWOBOT
- HELLSPAWN
- PLUTO
- BLUESCREEN
- RORO
- XNADROS
- X4NDR05
- DEWA
- MUSIC
- MUSIK
- RHAPSODY
- MP3
- MP 3
- SONG
- SING
- MEDIA PLAYER
- WINAMP
- RTLRACK
- PINNACLE
- TUNE
- DR.WEB
- I*N
- FOLDER OPTION
- SEARCH RESULTS
- CONFIGURATION UTILITY
- CabinetW
- rellikitlMultikiller
- Multikiller
- Multikiller2
- Registry Editor
- System Configuration Utility
- System Restore
- Process Viewer
- Process Explorer
- Zanda's little helper
- CBAV
- PROCEXPL
- PrcView
- TSystemCleaner
- TMainF
- TmainF
- TForm1
- CurrProcess
- Warecase
- AnVir
- TShowSplash
- ConsoleW
- RegEdit
- ANVIE
The worm terminates processes with any of the following strings in the name:
- client008.exe
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freecell.exe]
- "Debugger" = "C:\Program Files\Common Files\freecel.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshearts.exe]
- "Debugger" = "C:\Program Files\Common Files\msheart.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
- "Debugger" = "C:\Program Files\Common Files\N0TEPAD.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe]
- "Debugger" = "C:\Program Files\Common Files\w1nm1ne.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
- "Debugger" = "C:\Program Files\Common Files\kalkulator.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
- "Debugger" = "C:\Program Files\Common Files\tskmgr.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
- "Debugger" = "C:\Program Files\Common Files\reged1t.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sol.exe]
- "Debugger" = "C:\Program Files\Common Files\kartu.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Append____________Nempel_Serv1ce" = "explorer.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Kata_Sambutan" = "Mr_CoolFace_Datang_Lagi"
- [HKEY_CURRENT_USER\Identities\{%?%}\Software\Microsoft\Outlook Express\5.0\Mail]
- "Warn on Mapi Send" = 0
A string with variable content is used instead of %?% .
The following file is deleted:
- C:\Program Files\Common Files\Mutation.bat
The worm may create copies of the following files (source, destination):
- %system32%\cmd.exe, C:\Program Files\Common Files\_cmd.exe
- %system32%\freecell.exe, C:\Program Files\Common Files\freecel.exe
- %system32%\mshearts.exe, C:\Program Files\Common Files\msheart.exe
- %system32%\notepad.exe, C:\Program Files\Common Files\N0TEPAD.exe
- %system32%\winmine.exe, C:\Program Files\Common Files\w1nm1ne.exe
- %system32%\calc.exe, C:\Program Files\Common Files\kalkulator.exe
- %system32%\taskmgr.exe, C:\Program Files\Common Files\tskmgr.exe
- %system32%\sol.exe, C:\Program Files\Common Files\kartu.exe
- %system32%\spider.exe, C:\Program Files\Common Files\Laba_Laba.exe
- %windir%\pchealth\helpctr\binaries\msconfig.exe, C:\Program Files\Common Files\msconf1g.exe
- %windir%\regedit.exe, C:\Program Files\Common Files\reged1t.exe
The worm may replace these files with a copy of itself.
The worm may display a dialog box with the title:
- Mr_CoolFace Mohon Maaf Lahir Dan Batin
The dialog box contains the following text:
- Please Pardon Me Ya !
The worm may open the CD/DVD drive.