VIRUS NAME
: Suomia
Trojan
Characteristics
When executed
on the victim machine, this trojan (created using a commercial SFX package)
drops the file MIAOUS3.EXE into the system Tempdir (e.g. C:\Windows\Temp) and
modifies various Registry keys in an attempt to hook the execution of EXE files.
The following window is displayed upon execution of the trojan: "PATCH_UNIVERS"
The following key is added:
HKEY_CLASSES_ROOT\exefile "AlwaysShowExt"
The following keys are modified:
HKEY_CLASSES_ROOT\exefile "(Default)"
From 'Application' to 'EXE file'
HKEY_CLASSES_ROOT\exefile\DefaultIcon
"(Default)"
From '%1' to 'C:\_cd_N5\secret\MIAOUS3\MIAOUS3.exe'
HKEY_CLASSES_ROOT\exefile\shell\open\command
"(Default)"
From '"%1" %*' to 'C:\_cd_N5\secret\MIAOUS3\MIAOUS3.exe %1'
The file 'C:\_cd_N5\secret\MIAOUS3\MIAOUS3.exe' was not dropped during tests,
and so subsequent execution of EXE files resulted in a system error (the OS
prompting for location of MIAOUS3.EXE). When MIAOUS3.EXE is executed, it displays
a pornographic image.
Symptoms
'Program Not Found' system error message concerning MIAOUS3.EXE when attempting
to run EXE files.
Method
Of Infection
The trojan makes damaging modifications to the system Registry upon execution,
dropping another executable which displays a pornographic image when run.
|
