trouvé sur
http://vil.nai.com/vil/default.asp
This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".
The virus creates the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF
Top of Page
Symptoms
- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key
Top of Page
Method Of Infection
The virus drops a UPX packed executable in the WINDOWS TEMP directory and executes it. This file is 176,128 bytes in length, contains a random filename and a .TMP extension. The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.