January 31, 2011


It is another email virus that comes as an attachment. This worm propagates by attaching copies of itself to email messages that it sends to target addresses gathered from the Windows Address Book. It is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Its main payloads are dropping and downloading malicious file.

1) It drops the following files that are malicious
  • ifcconf.exe
  • ifcmgr32.dll
  • infowshb.dll
  • rtutvb5d.dll
2) It also drops the following files that will affect the system in the following folders

  • %System%\confifc.dll
  • %System%\ifcperf.exe
  • %System%\ifcprf32.dll
  • %System%\ifcstat.dll
  • %System%\sendwmdm.exe
  • %Windows%\tifc32.exe
3)  It creates the following auto start entry that will enable the virus to do its malicious activities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ifcdiag = "%System%\ifcconf.exe" 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbgmgr
    DllName = "%System%\ifcmgr32.dll" 
4) It will create following registry
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\shdosbei 
5) It will modify the following registry entry

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = "infowshb.dll confifc.dll ifcstat.dll"


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More