Virus.Win32.SALITY.RS

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It enables its automatic execution at every system startup by dropping copies of itself into the Windows Common Startup folder.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It accesses websites to download files. This action allows this malware to possibly add other malware on the affected computer.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Virus drops the following copies of itself into the affected system:

• %AppDataLocal%\smss.exe
• %AppDataLocal%\services.exe
• %AppDataLocal%\lsass.exe
• %AppDataLocal%\inetinfo.exe
• %AppDataLocal%\csrss.exe
• %AppDataLocal%\winlogon.exe
• %System%\3D Animation.scr
• %User Profile%\Templates\A.kotnorB.com
• %Windows%\inf\norBtok.exe

It drops the following files:

• %System%\drivers\{6 Random Characters}.sys
• %User Temp%\win{5 Random Characters 1}.exe ← ntkrnlpa.exe copy
• %User Temp%\win{5 Random Characters 2}.exe
• %System Root%\(6 Random Characters}.pif
• {All Available Drives}\autorun.inf
• {All Available Drives}\{5 Random Characters}.exe
• %AppDataLocal%\Kosong.Bron.Tok.txt
• %AppDataLocal%\Bron.tok.A3.em.bin ← Deleted afterwards
• %AppDataLocal%\Ok-SendMail-Bron-tok{email}.ini
• %AppDataLocal%\NetMailTmp.bin
• %AppDataLocal%\BronFoldNetDomList.txt ← Deleted afterwards
• %AppDataLocal%\BronNetDomList.bat ← Deleted afterwards
• %AppDataLocal%\BronNPath0.txt ← Deleted afterwards
• %AppDataLocal%\Update.AN3A.Bron.Tok.exe ← Deleted afterwards
• %AppDataLocal%\Update.AN3A.Bron.Tok.tempo.exe
• %AppDataLocal%\Update.3.Bron.Tok.bin ← Deleted afterwards
• %AppDataLocal%\BrontokInf.txt
• %User Profile%\Pictures\about.Brontok.A.html
• %AppDataLocal%\Loc.Mail.Bron.Tok\{email}.ini

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %AppDataLocal%\Bron.tok-3-{Current Day}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• uxJLpe1m ← For the malware itself
• {Process Name}M_{PID in Decimal} ← For all running processes

Autostart Technique

This Virus adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Tok-Cirrhatus = %AppDataLocal%\smss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Bron-Spizaetus = %Windows%\inf\norBtok.exe

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

• %User Profile%\Programs\Startup\Empty.pif

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

The scheduled task executes the malware every:

• 5:08 PM every day

Other System Modifications

This Virus deletes the following files:

• %System%\drivers\{6 Random Characters}.sys
• %User Temp%\win{5 Random Characters 1}.exe ← ntkrnlpa.exe copy
• %User Temp%\win{5 Random Characters 2}.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following line(s)/entry(ies) in the SYSTEM.INI file:

• [mci]
• [MCIDRV_VER]
• DEVICEMB={Random Decimal Numbers}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{Derived from User Name}\
2033412880
{Derived from the first 4 letters of the User Name} = {Decimal Value}

HKEY_CURRENT_USER\Software\{Derived from User Name}\
2033412880
{Derived from the first 4 letters of the User Name} = {Hex Values}

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableCMD = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = 1

(Note: The default value data of the said registry entry is 0.)

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Safeboot

File Infection

This Virus infects the following file types:

• .exe
• .scr

It avoids infecting the following files:

• Protected System Files
• Files in CD-ROM drives

Propagation

This Virus drops the following copy(ies) of itself in all removable drives:

• {Removable Drive Letter}:\Data {username}.exe

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

Note: The order of autorun.inf strings may vary and may contain a combination of uppercase and lowercase letters
;{Garbage Characters}
[AutoRun]
;{Garbage Characters}
ShEll\OPeN\coMMaNd ={Random Characters}.{pif/exe}
;
Open={Random Characters}.{pif/exe}
;
shelL\ExPLorE\CommanNd={Random Characters}.{pif/exe}
shELl\Open\DefAUlT=1
;{Garbage Characters}
shell\aUToplay\CoMMANd ={Random Characters}.{pif/exe}

It appends the following strings to Simple Mail Transfer Protocol (SMTP) servers:

• smtp.
• mail.
• ns1.

It gathers target email addresses from files with the following extensions:

• .ASP
• .CFM
• .CSV
• .DOC
• .EML
• .HTM
• .HTML
• .PHP
• .TXT
• .WAB

It avoids sending email messages to addresses containing the following strings:

• ..
• .@
• .ASP
• .EXE
• .HTM
• .ID
• .JS
• .PHP
• .VBS
• @.
• @123
• @ABC
• @MAC
• ADMIN
• ADOBE
• AHNLAB
• ALADDIN
• ALERT
• ALERT
• ALWIL
• ANTIGEN
• APACHE
• ARCHIEVE
• ASDF
• ASSOCIATE
• ASTAGA
• AVAST
• AVG
• AVIRA
• BILLING@
• BLACK
• BLAH
• BLEEP
• BOLEH
• BROWSE
• BUG
• BUILDER
• BUNTU
• CANON
• CILLIN
• CISCO
• CLICK
• CNET
• COMPUSE
• COMPUTE
• CONTOH
• CRACK
• DARK
• DATABASE
• DEMO
• DEVELOP
• DEVELOP
• DOMAIN
• DOWNLOAD
• ELECTRO
• ELEKTRO
• EMAILKU
• ESAFE
• ESAVE
• ESCAN
• EXAMPLE
• FEEDBACK
• FOO@
• FREE
• FUCK
• FUJI
• FUJITSU
• GATEWAY
• GAUL
• GOOGLE
• GRISOFT
• GROUP
• HACK
• HAURI
• HIDDEN
• HP.
• IBM.
• IEEE
• INDO
• INFO@
• INFORMA
• INTEL.
• IPTEK
• KDE
• KOMPUTER
• LAB
• LINUX
• LOOKSMART
• LOTUS
• LUCENT
• MACRO
• MASTER
• MATH
• MICRO
• MICROSOFT
• MOZILLA
• MYSQL
• NASA
• NETSCAPE
• NETWORK
• NEWS
• NOD32
• NOKIA
• NORMAN
• NORTON
• NOVELL
• NVIDIA
• OPERA
• OVERTURE
• PANDA
• PLASA
• POSTGRE
• PROGRAM
• PROLAND
• PROMO
• PROTECT
• PROXY
• RECIPIENT
• REDHA
• REGIST
• RELAY
• RESPONSE
• ROBOT
• SALES
• SATU
• SECUN
• SECURE
• SECURITY
• SEKUR
• SENIOR
• SERVER
• SERVICE
• SIEMENS
• SIERRA
• SLACK
• SMTP
• SOFT
• SOME
• SOURCE
• SPAM
• SPERSKY
• SPYW
• STUDIO
• SUN.
• SUPPORT
• SUSE
• SYBARI
• SYMANTEC
• SYNDICAT
• TELECOM
• TELKOM
• TEST
• TRACK
• TREND
• TRUST
• UPDATE
• UPDATE
• USERNAME
• VAKSIN
• VAKSIN
• VIRUS
• W3.
• WWW
• XANDROS
• XEROX
• XXX
• YOUR
• ZDNET
• ZEND
• ZOMBIE

Process Termination

This Virus terminates the following services if found on the affected system:

• acssrv
• Agnitum Client Security Service
• ALG
• Amon monitor
• aswFsBlk
• aswMon2
• aswRdr
• aswSP
• aswTdi
• aswUpdSv
• AV Engine
• avast! Antivirus
• avast! Asynchronous Virus Monitor
• avast! iAVS4 Control Service
• avast! Mail Scanner
• avast! Self Protection
• avast! Web Scanner
• AVG E-mail Scanner
• Avira AntiVir Premium Guard
• Avira AntiVir Premium MailGuard
• Avira AntiVir Premium WebGuard
• AVP
• BGLiveSvc
• BlackICE
• CAISafe
• ccEvtMgr
• ccProxy
• ccSetMgr
• cmdAgent
• cmdGuard
• COMODO Firewall Pro Sandbox Driver
• Eset HTTP Server
• Eset Personal Firewall
• Eset Service
• F-Prot Antivirus Update Monitor
• fsbwsys
• FSDFWD
• F-Secure Gatekeeper Handler Starter
• FSMA
• Google Online Services
• InoRPC
• InoRT
• InoTask
• ISSVC
• KLIF
• KPF4
• LavasoftFirewall
• LIVESVR
• McAfeeFramework
• McShield
• McTaskManager
• MpsSvc
• navapsvc
• NOD32krn
• NPFMntor
• NSCService
• Outpost Firewall main module
• OutpostFirewall
• PAVFIRES
• PAVFNSVR
• PavProt
• PavPrSrv
• PAVSRV
• PcCtlCom
• PersonalFirewal
• PREVSRV
• ProtoPort Firewall service
• PSIMSVC
• RapApp
• SavRoam
• SharedAccess
• SmcService
• SNDSrv
• SPBBCSvc
• SpIDer FS Monitor for Windows NT
• SpIDer Guard File System Monitor
• SPIDERNT
• Symantec Antivirus
• Symantec AntiVirus Definition Watcher
• Symantec Core LC
• Symantec Password Validation
• Tmntsrv
• TmPfw
• UmxAgent
• UmxCfg
• UmxLU
• UmxPol
• vsmon
• VSSERV
• WebrootDesktopFirewallDataService
• WebrootFirewall
• wscsvc
• XCOMM

It terminates the following processes if found running in the affected system's memory:

• .dCFIAUDIT.
• A2CMD.
• A2FREE
• A2GUARD
• A2SERVICE.
• ADVCHK.
• AGB.
• AHPROCMONSERVER.
• AIRDEFENSE
• AKRNL.
• ALERTSVC
• AMON.
• ANTIVIR
• APVXDWIN.
• ARMOR2NET.
• ASHAVAST.
• ASHDISP.
• ASHENHCD.
• ASHMAISV.
• ASHPOPWZ.
• ASHSERV.
• ASHSIMPL.
• ASHSKPCK.
• ASHWEBSV.
• ASWSCAN
• ASWUPDSV.
• AVAST
• AVAST
• AVCENTER
• AVCIMAN.
• AVCONSOL.
• AVENGINE.
• AVESVC.
• AVEVAL.
• AVEVL32.
• AVGAM
• AVGCC.AVGCHSVX.
• AVGCC32.
• AVGCSRVX.
• AVGCTRL.
• AVGEMC.
• AVGFWSRV.
• AVGNSX.
• AVGNT.
• AVGNTMGR
• AVGSERV.
• AVGTRAY.
• AVGUARD.
• AVGUPSVC.
• AVGWDSVC.
• AVINITNT.
• AVIRA
• AVKSERV.
• AVKSERVICE.
• AVKWCTL.
• AVP.
• AVP32.
• AVPCC.
• AVPM.
• AVSCHED32.
• AVSERVER.
• AVSYNMGR.
• AVWUPD32.
• AVWUPSRV.
• AVXMONITOR
• AVXQUAR.
• AVZ.
• BDSWITCH.
• BITDEFENDER
• BLACKD.
• BLACKICE.
• CAFIX.
• CCEVTMGR.
• CCSETMGR.
• CFP.
• CFPCONFIG.
• CLAMTRAY.
• CLAMWIN.
• CUREIT
• DEFENDERDAEMON
• DEFWATCH.
• DRVIRUS.
• DRWADINS.
• DRWEB
• DWEBIO
• DWEBLLIO
• EKRN.
• ESCANH95.
• ESCANHNT.
• EWIDOCTRL.
• EZANTIVIRUSREGISTRATIONCHECK.
• F-AGNT95.
• FAMEH32.
• FILEMON
• FIREWALL
• FORTICLIENT
• FORTISCAN
• FORTITRAY.
• FPAVSERVER.
• FPROTTRAY.
• FPWIN.
• FRESHCLAM.
• FSAV32.
• FSAVGUI.
• FSBWSYS.
• F-SCHED.
• FSDFWD.
• FSGK32.
• FSGK32ST.
• FSGUIEXE.
• FSMA32.
• FSMB32.
• FSPEX.
• FSSM32.
• F-STOPW.
• GCASDTSERV.
• GCASSERV.
• GIANTANTISPYWARE
• GUARDGUI.
• GUARDNT.
• GUARDXKICKOFF.
• GUARDXSERVICE.
• HREGMON.
• HRRES.
• HSOCKPE.
• HUPDATE.
• IAMAPP.
• IAMSERV.
• ICLOAD95.
• ICLOADNT.
• ICMON.
• ICSSUPPNT.
• ICSUPP95.
• ICSUPPNT.
• INETUPD.
• INOCIT.
• INORPC.
• INORT.
• INOTASK.
• INOUPTNG.
• IOMON98.
• IPTRAY.
• ISAFE.
• ISATRAY.
• KAV.
• KAVMM.
• KAVPF.
• KAVPFW.
• KAVSTART.
• KAVSVC.
• KAVSVCUI.
• KMAILMON.
• MAMUTU
• MCAGENT.
• MCMNHDLR.
• MCREGWIZ.
• MCUPDATE.
• MCVSSHLD.
• MINILOG.
• MYAGTSVC.
• MYAGTTRY.
• NAVAPSVC.
• NAVAPW32.
• NAVLU32.
• NAVW32.
• NEOWATCHLOG.
• NEOWATCHTRAY.
• NISSERV
• NISUM.
• NMAIN.
• NOD32
• NORMIST.
• NOTSTART.
• NPAVTRAY.
• NPFMNTOR.
• NPFMSG.
• NPROTECT.
• NSCHED32.
• NSMDTR.
• NSSSERV.
• NSSTRAY.
• NTOS.
• NTRTSCAN.
• NTXCONFIG.
• NUPGRADE.
• NVCOD.
• NVCTE.
• NVCUT.
• NWSERVICE.
• OFCPFWSVC.
• ONLINENT.
• OP_MON.
• OPSSVC.
• OUTPOST
• PAVFIRES.
• PAVFNSVR.
• PAVKRE.
• PAVPROT.
• PAVPROXY.
• PAVPRSRV.
• PAVSRV51.
• PAVSS.
• PCCGUIDE.
• PCCIOMON.
• PCCNTMON.
• PCCPFW.
• PCCTLCOM.
• PCTAV.
• PERSFW.
• PERTSK.
• PERVAC.
• PESTPATROL
• PNMSRV.
• PREVSRV.
• PREVX
• PSIMSVC.
• QHONLINE.
• QHONSVC.
• QHSET.
• QHWSCSVC.
• QUHLPSVC.
• RFWMAIN.
• RTVSCAN.
• RTVSCN95.
• SALITY
• SAPISSVC.
• SAVADMINSERVICE.
• SAVMAIN.
• SAVPROGRESS.
• SAVSCAN.
• SCANNINGPROCESS.
• SCANWSCS.
• SDHELP.
• SDRA64.
• SHSTAT.
• SITECLI.
• SPBBCSVC.
• SPHINX.
• SPIDERCPL.
• SPIDERML.
• SPIDERNT.
• SPIDERUI.
• SPYBOTSD.
• SPYXX.
• SS3EDIT.
• STOPSIGNAV.
• SWAGENT.
• SWDOCTOR.
• SWNETSUP.
• SYMLCSVC.
• SYMPROXYSVC.
• SYMSPORT.
• SYMWSC.
• SYNMGR.
• TAUMON.
• TBMON.
• TMLISTEN.
• TMNTSRV.
• TMPROXY.
• TNBUTIL.
• TRJSCAN.
• TROJAN.
• VBA32ECM.
• VBA32IFS.
• VBA32LDR.
• VBA32PP3.
• VBSNTW.
• VCRMON.
• VPTRAY.
• VRFWSVC.
• VRMONNT.
• VRMONSVC.
• VRRW32.
• VSECOMR.
• VSHWIN32.
• VSMON.
• VSSERV.
• VSSTAT.
• WATCHDOG.
• WEBSCANX.
• WINSSNOTIFY.
• WRCTRL.
• XCOMMSVR.
• ZLCLIENT
• ZONEALARM

Download Routine

This Virus accesses websites to download the following files:

• http://pelcpawel.fm.{BLOCKED}a.pl/logos.gif
• http://{BLOCKED}tara.com/logof.gif
• http://{BLOCKED}lie.com/images/logos.gif
• http://{BLOCKED}nt-eg.com/images/logosa.gif
• http://www.{BLOCKED}ogullari.com/logof.gif
• http://www.{BLOCKED}becreatives.com/logos.gif
• http://{BLOCKED}metgrup.com/images/logosa.gif
• http://{BLOCKED}uncil.ya.funpic.de/images/logos.gif
• http://{BLOCKED}asa.com/images/logos.gif
• http://{BLOCKED}..19.14/logo.gif
• http://{BLOCKED}ies.com/jowobot123/BrontokInf.txt

Other Details

This Virus adds and runs the following services:

asmint32
ImagePath = %System%\drivers\{6 Random Characters}.sys

IpFilterDriver
ImagePath = %System%\drivers\ipfltdrv.sys

It does the following:

• It restarts the system if the following strings are present in an existing window:
  • .EXE
  • BLEEPING
  • CLEANER
  • COMMAND PROMPT
  • FAJARWEB
  • GROUP POLICY
  • HIJACK
  • KILLBOX
  • LOG OFF WINDOWS
  • MOVZX
  • PROCESS EXP
  • REGISTRY
  • REMOVER
  • SCRIPT HOST
  • SHUTDOWN
  • SYSINTERNAL
  • SYSTEM CONFIGURATION
  • TASK KILL
  • TASKKILL
• It distributes itself via email with the following file name:
  • winword.exe
  • kangen.exe
  • ccapps.exe
• It may spoof the "From" field with the following email addresses:
  • Berita_{email}@kafegaul.com
  • GaulNews_{email}@kafegaul.com
  • Movie_{email}@pornstargals.com
  • HotNews_{email}@pornstargals.com

However, as of this writing, the said sites are inaccessible.

It terminates itself if windows or classes contain any of the following string(s):

• .EXE
• BLEEPING
• CLEANER
• COMMAND PROMPT
• FAJARWEB
• GROUP POLICY
• HIJACK
• KILLBOX
• LOG OFF WINDOWS
• MOVZX
• PROCESS EXP
• REGISTRY
• REMOVER
• SCRIPT HOST
• SHUTDOWN
• SYSINTERNAL
• SYSTEM CONFIGURATION
• TASK KILL
• TASKKILL