Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
- Modification of a system Registry key as described below
- increase in the size of JPEG files (+11,780 bytes)
- increase in size of .TXT files (+11780 bytes)
Methods of Infection
The virus arrives in the form of a 11,780 byte PE file. When run on the victim machine, the 5,636 byte extractor component (EXTRK.EXE) is dropped (to the current directory). Both files are written in Visual Basic 6, and packed with UPX. The following Registry key is modified in order that JPEG file execution is hooked:
HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1
Subsequently, when JPEG files are executed, the extractor component checks if the file is infected. If so, the virus body is extracted and executed. Only JPEGs in the current directory are infected, and only one file is infected per cycle. The extractor then attempts to display the JPEG using a system DLL.
The .b variant uses the filename TEXTRK.EXE for the extractor component and the registry key modified is:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1