W32/Bugsoft
Analysis
- Virus is 32bit with a compressed file size of 28,160
bytes
- Virus was coded using Visual Basic 6 and requires
MSVBVM60.DLL in order to be a threat; virus also requires
that Windows is installed to the path "C:\Windows"
due to hard-coded file copy instructions
- If the virus is run, it may display some dialogue
boxes with the following information -
dialogue box 1 (may be displayed as many as three times)
------------------
FORMAT DISK!
VIRUS!
[OK]
------------------dialogue box 2
-------------------------------------------------------------------
Hahahahahahaha! SortCut Killer Virus In You System!
I LOVE YOU!
Virus Name: Short Cut Killer.
Version: 1.02
Properties: Memory Resident,Macro,Worm Like Characterestics.
Native Place: India
Effecting: I Cant Tell You Just See It!.
Activated: When You Create Any ShortCut In Desktop.
Main Problem: Swallow the System Core Memory.
CANT REMOVE ME FROM YOUR SYTEM!!!!!!!!!!
Wrtten in the Language: Visual Basic
Email Spreading : trueHELOW MY DEAR FRIEND,
i AM sORRY tO sAY tHAT yOUR sYSTEM gOT
eFFECTED bY sHORTcUT kILLER vIRUS bY mE .i AM a
sTUDENT oF bSC.cOMPUTER sCIENCE.aND i gOT
mANY cHEATING fROM mY dEVIL fRIENDS.sO i WANT
tO sPREAD tHIS mRSSAGE ovERALL wORLD.that
dONT cHEATE fRIENDS oK
-------------------------------------------------------------------
-
The virus will write itself and two other files to the following locations -
c:\WINDOWS\game.exe (32,768 bytes)
c:\WINDOWS\love.exe (32,768 bytes)
c:\WINDOWS\Start Menu\Programs\StartUp\love.exe (32,768 bytes)
c:\WINDOWS\jk.bat (3,101 bytes)
c:\WINDOWS\mail.vbs (636 bytes)
-
The file "mail.vbs" contains broken code with intentions to send an email with the virus as an attachment in the following format -
Subject: My Sexy Movie DownLoader Here!
Body:
Hey Sexy You Wanna See My selfFucking Movie?
Attachment: love.exe
-
The virus will launch the Batch script file "jk.bat"
-
Jk.bat will attempt to move Norton program files into the Recycle Bin -
c:\progra~1\norton~1 => c:\recycled
c:\progra~1\norton~2 => c:\recycled
-
Jk.bat will attempt to move other files into the Recycle Bin -
c:\mydocu~1\mypict~1\*.jpg => c:\recycled
c:\windows\*.bmp => c:\recycled
c:\windows\desktop\*.* => c:\recycled
-
The virus will replace existing files on the system with a copy itself by the same -
c:\WINDOWS\CALC.EXE
c:\WINDOWS\NOTEPAD.EXE
c:\WINDOWS\PBRUSH.EXE
c:\WINDOWS\COMMAND\EDIT.COM
c:\WINDOWS\COMMAND\SCANDISK.EXE
c:\WINDOWS\COMMAND\SCANREG.EXE
c:\WINDOWS\COMMAND\SYS.COM
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |