The worm copies itself to %WINDIR%\system32\wind2ll2.exe.
Adds the value:
"erfgddfk" = "%WINDIR%\system32\wind2ll2.exe"
to the registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n]
and tries to delete the values:
"My AV"
"Zone Labs Client Ex"
"9XHtProtect"
"Antivirus"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"
from the same keys.
Tries to download files from a list of URLs to
%WINDIR%\re_file.exe
and, if successful, executes the downloaded file.
Tries to download files from a list of URLs to
%WINDIR%\eml.exe
Sends an e-mail with a zipped copy of the W32/Mitglieder.GV Trojan attached.
Avoids sending e-mail to addresses containing any of these subsrings:
@eerswqe
@derewrdgrs
@microsoft
rating@
f-secur
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
admin
icrosoft
support
ntivi
linux
listserv
certific
sopho
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
@avp.
noreply
local
root@
postmaster@
| 