When the virus executes, it attempts to infect any file accessed with the following extensions:
The threat does not infect files starting with the following strings:
The virus also attempts to infect files with the following extensions by injecting an iframe in to the body of each file:
The above iframe redirects the browser on the computer to the following location:
It creates the following event so that only one instance of the threat is running on the compromised computer:
The virus then modifies the hosts file by prepending the following strings to its body:
It then opens a back door by joining a channel controlled by a remote attacker on one of the following IRC servers:
- irc.zief.pl on TCP port 80
- proxim.ircgalaxy.pl on TCP port 80
The remote attacker may use the following nick name:
[EIGHT RANDOM CHARACTERS]
It may use the following registry entry in binary format in order to decode an unknown server name and port number:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"UpdateHost" = "[BINARY VALUE]"
The threat disables Windows File Protection in order to infect files on the computer.
It also modifies the following registry subkey in order to add a firewall exception:
The virus also attempts to download files on the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":