Win32/Rovud [Threat Name] go to Threat
Win32/Rovud.B [Threat Variant Name]
Category | worm |
Size | 79360 B |
Aliases | Net-Worm.Win32.Rovud.b (Kaspersky) |
W32/Rovud.worm (McAfee) | |
Win32.HLLW.AntiDurov (Dr.Web) |
Short description
The worm sends links to VKontakte.ru users. If the link is clicked a copy of the worm is downloaded.
Installation
When executed, the worm copies itself into the %appdata%\Vkontakte\ folder using the following name:
- svc.exe
The worm creates the following files:
- deti.jpg
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "DurovVkon" = "%filepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "DurovVkon" = "%filepath%"
The worm registers itself as a system service using the following name:
- Durov VKontakte Service
Spreading
The worm sends links to VKontakte.ru users.
If the link is clicked a copy of the worm is downloaded.
Other information
The worm may display the following file: deti.jpg
The worm opens the file using the default image viewer.
If the current system date and time matches certain conditions, the worm attempts to delete all files and folders stored on the available drives.
It avoids those with any of the following strings in their names:
- ntldr
- bootmgr
The worm displays a window titled
- Павел Дуров
that contains the following text: