Threat Encyclopedia



  • The virus is 32bit with a compressed file size of 66,048 bytes
  • If virus is run, it will use imports from PSAPI.DLL in order to enumerate threads and processes and then attempt to terminate them - these processes are related to Antivirus or utility application software
  • The virus may replace the content of .HTM or .HTML files with the following script -

    <BR><BR><BR><CENTER><B><U> Ha..Ha..Haaa...</CENTER></U></B>

  • The virus may harvest the hard drive for email addresses by looking in such places as the registry and various files on the infected system - the email addresses are used by the virus to send variable subject / body emails with an infectious attachment

  • The virus seeks contact names from the MSN Messenger and Yahoo application from the registry

  • The virus may parse UIN files associated with ICQ chat client and retrieve email addresses

  • The virus creates two files "HOSTS." And "LMHOSTS." - these files contain IP resolution changes so that attempts to browse to the following sites redirect the browser to -

  • The virus will modify the registry to ensure the likelihood of the virus being executed numerous times - when files with .BAT, .EXE or .COM are run, the virus will run first and the initial file may or not execute -

    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    Original value for "@" in above keys ="undefined1" undefined*