- Virus is ASPack compressed with a size of 62,464
- When virus is executed, it writes the following
files and copies itself as existing files; renaming
original files of the same name to VXD extensions
C:\WINDOWS\TEMP\PHOTO1.JPG - 27Kb - cropped picture of young female posing with franchise icon Ronald McDonald
C:\WINDOWS\MPLAYER.VXD - original EXE renamed
C:\WINDOWS\MPLAYER.EXE - virus
C:\WINDOWS\WINHLP32.VXD - original EXE renamed
C:\WINDOWS\WINHLP32.EXE - virus
C:\WINDOWS\NOTEPAD.VXD - original EXE renamed
C:\WINDOWS\NOTEPAD.EXE - virus
C:\WINDOWS\CONTROL.VXD - original EXE renamed
C:\WINDOWS\CONTROL.EXE - virus
C:\WINDOWS\SCANREGW.VXD - original EXE renamed
C:\WINDOWS\SCANREGW.EXE - virus
C:\WINDOWS\SYSTEM\SCANREGW.EXE - virus
C:\WINDOWS\SYSTEM\LOADPE.COM - virus
Virus modifies the registry to run itself at Windows startup -
Virus modifies the registry to run itself when any executable EXE file is run -
@ = "c:\windows\system\loadpe.com" "undefined1" undefined*
* Original value here was
@ = "undefined1" undefined*
Virus acts as a companion virus, copying existing EXE files as VXD files, then copying itself as the original file name and also assuming the icon of the original application
- When LOADPE.COM executes, it writes three files
to the local machine -
C:\WINDOWS\SYSTEM\NDXAPI.OCX - contains string "PLICT01"
C:\WINDOWS\SYSTEM\ODXAPI.OCX - contains string "PLICT01"
C:\WINDOWS\IFNHLP.SYS - copy of virus
Every time a new executable is run, it is infected by the companion method of copying the original file as a .VXD and copying the virus as the original .EXE file name.
Virus attempts to hi-jack an email client named "The Bat!" and also use "smtp.mail.ru" as an SMTP server in order to distribute itself in emails as the file "Photo1.jpg.pif"
Virus attempts to capture credentials such as cached network passwords, CuteFTP info, Netscape and "TheBat!" email configurations, and store them in a file in order to send these to the virus author
Virus contains these strings in its code -