• Virus is 32bit with a compressed size of 67,104 bytes
  • File properties of the virus are the following:
    Description: Generic Host Process for Win32 Services
    Internal Name: winservices.exe
  • If virus is run, it will copy itself to the Windows\System32 folder as “Winupdate.exe” and then load into memory
  • Virus will attempt to locate machines across the network and connect with them in order to infect them – Virus will attempt to connect with target systems using the Administrator account and a hard-coded dictionary of passwords
  • Virus uses the imports “WNetAddConnection2A”, “NetScheduleJobAdd” and “NetRemoteTOD” as a means to connect with, install and initiate the virus on systems remotely
  • Virus may terminate these programs if they are running as a means to hide its activities –
  • Virus may connect to an IRC channel and network and await instructions from a hacker or group of hackers
  • If the target system is Windows 98/Me, the virus may alter the SYSTEM.INI file into the [boot] section with the following instruction –
    shell = explorer.exe winupdate.exe
  • Virus may modify the registry to load at Windows startup –
    "windowsupdate" = winupdate.exe

    "windowsupdate" = winupdate.exe