If you have been frustrated by this one, you might also be interested in how it works so I'm sharing it here...
When launched, the virus copies its executable file as follows:
%System%\config\csrss.exe
%WinDir%\media\arona.exe
It also creates the following file:
%System%\logon.bat
When this file is run, it will launch a copy of the virus:
%System%\config\csrss.exe
In order to ensure that the virus is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Worms" = "%System%\logon.bat"
The virus also creates the following files:
%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf
These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.
Payload
The virus modifies values of the following system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1
It also searches the hard disk partitions listed below for files with an ".mp3" extension:
d:\
c:\
e:\
f:\
g:\
h:\
These files will then be deleted.
No comments:
Post a Comment