This threat is detected as VBS/Drogam. On executing the infected VBScript, the virus will save itself as options.vbs
in the windows SYSTEM directory. The following registry keys will be created:
CurrentVersion\ Run "GraphicOptions"
CurrentVersion\ Run "UpdateSecurity"
[windows SYSTEM directory]\system32\update.vbs
If the date is 25th September, the following registry key will be added:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", https://h-a-m.w.xxxx.pl "
CurrentVersion\ Run\Kernel32", "[windows directory]\kernel32.vbs"
The virus will then perform a Denial Of Service attack on an IP address. The following message will be displayed : "Thx for help with DDoS !! :)"
It will copy itself as kernel32.vbs
in the windows directory.
If the date is 26th September and the time is not 5pm, the virus will perform an ipconfig /release_all