When the worm executes, it creates the following file:
If a removable drive exists, the worm creates the following files:
- [DRIVE LETTER]\kernel32.dll.vbs
- [DRIVE LETTER]\autorun.inf
Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"kernel32" = "%Windir%\kernel32.dll.vbs"
It modifies the value of the following registry if it exists:
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\"Timeout" = "0"
The worm also creates the following registry entry which modifies the title bar of Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "Hacked by [REMOVED]TS"
HKEY_CURRENT_USER\Software\Microsoft\"nFlag" = "[NUMBER OF TIMES SCRIPT HAS RUN]"Note:
The following value "nFlag" = "[NUMBER OF TIMES SCRIPT HAS RUN]" in the subkey HKEY_CURRENT_USER\Software\Microsoft will increment each time the script is executed.
On the scripts 74th execution and thereafter it will attempt to modify the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "about:_______________________________________:Hacked_By_[REMOVED]TS:_______________________________________"
On the scripts 100th execution it will attempt to delete critical files including:
and recursively delete all files, folders and subfolders on all available drives excluding the following:
- %SystemDrive%\Documents and Settings
This value will not increment if the following file exists:
%Windir%\I will survive.txt
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":