TECHNICAL DETAILS When the worm is executed, it creates the following files: C:\Documents and Settings\All Users\My Documents\S??stem.exe %ProgramFiles%\S??stem.exe %System%\S??stem.exe %System%\Winnt.sys %Windir%\S??stem.exe %Windir%\Winnt.sys %Windir%\Tasks\At1.job %Windir%\Tasks\At2.job %Windir%\Tasks\At3.job %Windir%\Tasks\At4.job %Windir%\Tasks\At5.job %Windir%\Tasks\At6.job %Windir%\Tasks\At7.job %Windir%\Tasks\At8.job %Windir%\Tasks\At9.job %Windir%\Tasks\At10.job %SystemDrive%:\Autoexec.bat %SystemDrive%:\New Folder.exe %SystemDrive%:\WinSys.sys %SystemDrive%:\bootsect.exe %DriveLetter%\S??stem.exe %DriveLetter%\autorun.inf It copies itself to network shares as the following file: Documents.exe Next, it creates the following registry entries so that it executes whenever Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System Init" = "%System%\S??stem.exe" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBootAlternate\"AlternateShell" = "%System%\S??stem.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootAlternate\"AlternateShell" = "%System%\S??stem.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe S??stem.exe" It then creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\command\"@" = "S??stem.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\Explorer\command\"" = "S??stem.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\Open With\command\"" = "S??stem.exe" It also creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"1" = "Wincmd.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"2" = "zlclient.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"3" = "nvprotect.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"4" = "Regworkshop.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"5" = "Mcshield.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"6" = "avp.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"7" = "ccprovsp.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"8" = "Attrib.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"DisallowRun" = "1" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\"shared" = "\Documents.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"DisallowRun" = "1" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"1" = "Wincmd.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"2" = "zlclient.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"3" = "nvprotect.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"4" = "Regworkshop.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"5" = "Mcshield.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"6" = "avp.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"7" = "ccprovsp.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"8" = "Attrib.exe" The worm modifies the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"SuperHidden" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "0" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\"AtTaskMaxHours" = "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"AtTaskMaxHours" = "0" The worm infects all files on removable drives with the following exensions: .doc .xls .exp .ppt, .mdb .dba .pdf .jpg .psd .ai .dwg .mp3 .mpg .zip .rar .qxd .rdf .rep .fmx .fmb .cpp It injects the following string in to the files with the above extensions: Locked by Mr. Guddu The worm then uses an SMTP to send an email to a remote attacker. The email has the following characteristics: To: mr.guddu.bd@gmail.com Subject: Successful Infection Notification Message: [COMPUTER NAME] - [USER NAME] has successfully infected! Mr. Guddu The worm may delete all files in the following location: %CurrentFolder% It then creates a new folder named [DELETED FILE NAME] which contains the following file: Mr. Guddu.txt The above file contains the following message: Just Kidding. Sincerely yours Mr. Guddu mr.guddu.bd@gmail.com It may also display the following message on the tray menu: Warning! You are infected by Unknown Virus! Contact with Mr. Guddu! Mail at mr.guddu.bd@gmail.com The worm also disables the following items: Registry Security Folder Options Schedule Group Policy Command Task Manager It also disables the following processes: Mcshield.exe Nvprotect.exe avp.exe