| Description | Visible Symptoms
- Infected systems have the Right-Click of mouse disabled
- Task Manager and Command-Line [CMD] are also not
accessible on a compromised system
Detailed AnalysisThis virus spreads through MSN Internet Messenger.
Once received and then executed, the virus loads into
memory. Then, it drops the file "svchosts.exe"
into the System32 folder. This file is another virus
detected as "W32/SDBot.AEA-net."
Loading at Windows Startup
When this virus is run, it registers itself to load
at each Windows startup - this is done by adding the
registry name "ine" with value "svchosts.exe"
for the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_LOCAL_MAHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MAHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USER\Software\Microsoft\OLE
After restarting, an infected machine becomes vulnerable
for remote attack since the SDBot virus is loaded.
.PIF file creation
This virus drops the following files in the root folder
("C:\") that will be retransmitted to MSN
Internet Messenger Contacts:
hahahaha.pif
naked_drunk.pif,
LOL.scr,
Webcam.pif,
me_2005.pif,
sister.pif
This virus then disables the right-click button of mouse.
And disable access to Task Manager (taskmgr.exe) and
Command-line (cmd.exe).
|