This virus scans the victim machine for executable files and infects them.The virus itself is a Windows PE EXE file. It is written in Visual Basic. Itis not packed in any way. The file is 348 160 bytes in size. InstallationOnce launched, the virus copies itself to the Windows root, system and temporarydirectories under its original name, which will have an .exe extension: %WinDir%\%VirName%.exe%System%\%VirName%.exe%Temp%\%VirName%.exe The virus also adds a link to itself in the system registry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"mab" = "%System%\%VirName%.exe" Once installed, the virus scans all files in the root directories of all logicalsysstem disks. Copies of the virus will be created in these directories withthe original file name. The contents of files with the following extensions: .cpp.doc.htm.html.txt.xls will be overwritten with the following texts (103 bytes in size): "Sorry!!!! $%%#@&re*$%$rthn#$^&&!f#&%$$f$#df#@^%$~`<:JHFgYttrt""$%%%7``0924ksh<:{[86#$36455hgf#$45"Once the virus has finished scanning, it will start again after a five secondinterval. If your computer does not have an antivirus solution, use the following instructionsto delete the malicious program:- Use Tast Manager to terminate the virus process.
- Delete the following registry key value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"mab" - Delete the copies of the virus from the Windows root, systemand temporary directories:
%WinDir%\%VirName%.exe%System%\%VirName%.exe%Temp%\%VirName%.exe - Scan your system for all files which have the same name and sizeas the original virus file.
- Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus.
Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=148537
Similar Virus/Threat >>
- Virus.Win32.Alman.a
|
