Virut.A_1008 is a polymorphic file infector virus that target Microsoft Windows operating systems. It is known to infect files with .exe and .scr extensions on local drives, removable media, and network shares.
Process Related Changes
It creates the following mutex(es):
- CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
- MSCTF.Shared.MUTEX.MLH"
- c:!documents and settings!admin!local settings!history!history.ie5!"
- CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
- CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- c:!documents and settings!admin!cookies!"
It creates the following process(es): - C:\WINDOWS\Temp\517c999aa46191a21218709aa046846a.exe [ \c:\windows\temp\517c999aa46191a21218709aa046846a.exe ]
It injects malicious code into the following process(es): - "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
- "C:\WINDOWS\system32\svchost.exe"
- "C:\WINDOWS\system32\tlntsrv.exe"
- "C:\WINDOWS\system32\winlogon.exe"
- "C:\WINDOWS\system32\rundll32.exe"
- "C:\WINDOWS\system32\ctfmon.exe"
- "C:\WINDOWS\explorer.exe"
- "C:\WINDOWS\system32\services.exe"
- "C:\WINDOWS\system32\alg.exe"
- "C:\WINDOWS\system32\lsass.exe"
- "C:\Program Files\Java\jre6\bin\jqs.exe"
- "C:\WINDOWS\system32\spoolsv.exe"
Network Activity
We observed the following DNS query/queries:
It attempts to connect to the following remote servers:
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKLM\system\CurrentControlSet\Services\= g
- HKLM\system\CurrentControlSet\Services\sharedaccess\epoch\= g
- HKLM\system\CurrentControlSet\Services\tcpip\parameters\= g
|
