is a virus that infects specific Microsoft Office document files and executable files. This virus has been observed contacting remote hosts in order to download files onto your computer.
In the wild, we have observed the virus infecting files with the following file extensions:
drops the virus body as the following:
%AppData%\<random>\<random>.exe (for example, "%AppData%\KA7YQ0\A1S09G.exe")
Note: %AppData% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".
The virus also drops a shortcut file as <dropped virus body path>.lnk, for example, "%AppData%>\KA7YQ0\A1S09G.exe.lnk" which points to the virus body with the following parameter:
makes the following changes to the registry to ensure its execution each time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "<dropped LNK file>"
It will then launch the dropped LNK file immediately.
creates an event "SayHellotomyLittleFriend" and an atom "BreakingBad" to make sure that only one payload is running at any given time.
The virus tries to infect files with the following extensions:
It does this by encrypting the original file, and prepending itself before it on all drives (except unknown devices), CDROMs, and drives that have a "System Volume Information" folder in the root.
An infected DOC file will be named as "<original file name><unicode right-to-left mark>cod.scr", and infected XLS files will be named as "<original file name><unicode right-to-left mark>slx.scr".
When the infected file runs, the original file is dropped and opened under the same directory with a random name, for example "Z3NTZ8". This randomly named file will have "hidden" and "system" attributes.
Contacts remote hosts
contacts remote hosts to report infection and retrieve commands; in the wild, we have observed it contacting the following server for this purpose:
Note: At the time of analysis, this server returned empty commands.
The virus may contact a remote host for any number of purposes, commonly to:
- Update itself
- Download additional files
Terminates system processes
attempts to close Windows Task Manager periodically.
Analysis by Shawn Wang