- Samples are packed with Upack.
- Drops a copy of itself to the Windows folder as rundl132.exe.
- Adds the following registry entry:
auto = "1"
- Adds the following registry entry in Windows 9x systems:
load = "undefinedWindowsundefined\rundl132.exe"
- Modifies the following registry entry in Windows NT-based systems:
load = "undefinedWindowsundefined\rundl132.exe" (Default is "")
- Drops the file viDll.dll to the current folder. This file is detected as W32/HLLP.AG!worm.
- Scans all folders and subfolders for EXE files to infect. It drops the file _desktop.ini to the folders that it has scanned. This file contains the current date in the format YYYY/MM/DD.
- Prepends itself to files in order to infect them. When infected files are executed, it removes itself from the file, making the file clean. However, the infection routine is still executed, thereby infecting other files.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.