Subscribe
The worm infects files with .exe, .scr, .pif and .com extensions on all fixed disks with the exception of files in folders which have names containing the following strings:
WINDOWS Winnt Recycled Windows NT WindowsUpdate Windows Media Player Outlook Express Internet Explorer NetMeeting Common Files ComPlus Applications Messenger InstallShield Installation Information MSN Microsoft Frontpage Movie Maker MSN Gamin Zone
The worm also does not infect files which are great than 10 485 760 bytes in size.
The worm writes its executable file to the beginning of the file being infected, displacing the original contents of the file downwards.
The worm also attempts to infect files in networked folders. The worm attempts to connect to other networked machines, using the following user names and passwords:
User name:
Administrator Guest Admin Root
Password:
1234 password 6969 harley 123456 golf pussy mustang 1111 shadow 1313 fish 5150 7777 qwerty baseball 2112 letmein 12345678 12345 ccc admin 5201314 qq520 1 12 123 1234567 123456789 654321 54321 111 000000 abc pw 11111111 88888888 pass passwd database abcd abc123 sybase 123qwe server computer 520 super 123asd Ihavenopass godblessyou enable xp 2002 2003 2600 alpha 110 111111 121212 123123 1234qwer 123abc 007 a aaa patrick pat administrator root sex god foobar secret test test123 temp temp123 win pc asdf pwd qwer yxcv zxcv home xxx owner login Login pw123 love mypc mypc123 admin123 mypass mypass123
The worm also copies its executable file to the root directory of all removable disks as "setup.exe". It creates a file called "autorun.inf" which contains a link to the worm's executable file. This means that if the contents of a removable disk are viewed using Explorer, the worm's executable file will automatically be launched.
The worm also terminates and deletes the following services:
Schedule Sharedaccess RsCCenter RsRavMon KVWSC KVSrvXP Kavsvc AVP Kavsvc McAfeeFramework McShield McTaskManager Navapsvc Wscsvc KPfwSvc SNDSrvc ccProxy ccEvtMgr ccSetMgr SPBBCSvc Symantec Core LC NPFMntor MskService FireSvc
It deletes the following values from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] RavTask KvMonXP Kav KAVPersonal50 McAfeeUpdaterU Network Associates Error Reporting Service ShStatEXE YLive.exe Yassistse
The worm downloads a list of files to be downloaded from the following link:
http://www.ac86.cn/****/mm.txtAll downloaded files are saved to the Windows roote directory (%WinDir%) and then launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the worm process (it may be called "spoclsv.exe").
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following parameters from the system registry (see
What is
a system registry and how do I use it for details on how to edit the registry).
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Svcshare" = "%System%\drivers\spoclsv.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Svcshare" = "%System%\drivers\spoclsv.exe"
Delete the following file:
%System%\drivers\spoclsv.exeDelete all copies of the worm from the hard disk.
Delete the following files:
autorun.inf setup.exe
from the root directories of all removable disks.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This worm spreads on the hard disk of the victim machine and to write-accessible network resources. It is a Windows PE EXE file. Modifications of this program may vary in size from 26KB to 129KB. The program may be packed with a range of packers.
InstallationWhen launched, the worm copies its executable file as follows:
%System%\drivers\spoclsv.exeIn order to ensure that the worm is launched automatically when the system is rebooted, it registers its executable file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Svcshare" = "%System%\drivers\spoclsv.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Svcshare" = "%System%\drivers\spoclsv.exe"Payload
Hot Articles