Detection added	Jul 16 2007 01:10 GMT
Description added	Jul 16 2007
Behavior	Virus

• Technical details
• Payload
• Removal instructions

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file. It is packed using UPX. The unpacked file is 58,368 bytes in size.

The executable file of known variants of this virus are called "ntos.exe".

Once launched, the virus creates a unique encryption key, and saves it to the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"WinCode" = "<encryption key>"

The malicious program also adds itself to the system registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe, %System%\ntos.exe"

This key value will be periodically checked by system processes that have had malicious code injected into them (e.g. "Winlogon.exe". If the key value is changed (i.e. if "%System%\ntos.exe" is deleted" then it will be automatically restored from the system process.

"%System%\ntos.exe" is protected from modification, renaming, and copying.

If the current system date is between 10th and 15th July 2007, the virus will encrypt all user files with the following extensions:

.12m
.3ds
.3dx
.4ge
.4gl
.7z 
.a
.a86
.abc
.acd 
.ace
.act
.ada
.adi
.aex
.af3
.afd
.ag4
.ai
.aif
.aifc
.aiff 
.ain  
.aio  
.ais  
.akf  
.alv  
.amp  
.ans 
.ap 
.apa  
.apo  
.app  
.arc  
.arh  
.arj  
.arx  
.asc  
.asm  
.ask  
.au   
.bak  
.bas  
.bb   
.bcb  
.bcp  
.bdb  
.bh   
.bib  
.bpr  
.bsa  
.btr 
.bup  
.bwb  
.bz   
.bz2  
.c   
.c86  
.cac  
.cbl  
.cc   
.cdb  
.cdr  
.cgi  
.cmd  
.cnt  
.cob  
.col  
.cpp  
.cpt  
.crp  
.cru  
.csc  
.css  
.csv 
.ctx  
.cvs  
.cwb  
.cwk  
.cxe  
.cxx  
.cyp  
.d    
.db  
.db0  
.db1  
.db2  
.db3  
.db4  
.dba  
.dbb  
.dbc  
.dbd 
.dbe  
.dbf  
.dbk  
.dbm  
.dbo  
.dbq  
.dbt  
.dbx  
.dfm  
.djvu 
.dic  
.dif  
.dm   
.dmd  
.doc  
.dok  
.dot 
.dox  
.dsc  
.dwg  
.dxf  
.dxr
.eps  
.exp  
.f    
.fas  
.fax  
.fdb  
.fla  
.flb  
.frm  
.fm   
.fox  
.frm  
.frt  
.frx  
.fsl  
.gtd  
.gif 
 .gz   
.gzip 
.h    
.ha   
.hh   
.hjt  
.hog  
.hpp  
.htm  
.html 
.htx  
.ice  
.icf  
.inc  
.ish  
.iso  
.jar  
.jad 
.java 
.jpg  
.jpeg 
.js   
.jsp  
.key  
.kwm  
.lst 
.lwp  
.lzh  
.lzs  
.lzw  
.ma   
.mak  
.man  
.maq  
.mar  
.mbx  
.mdb 
.mdf  
.mid  
.mo   
.myd  
.obj  
.old  
.p12  
.pak  
.pas  
.pdf  
.pem  
.pfx  
.php  
.php3 
.php4 
.pgp  
.pkr  
.pl   
.pm3  
.pm4  
.pm5 
.pm6 
.png  
.ppt  
.pps  
.prf  
.prx  
.ps   
.psd  
.pst  
.pw   
.pwa  
.pwl  
.pwm  
.pwp  
.pxl  
.py   
.rar
.res
.rle
.rmr
.rnd
.rtf
.safe
.sar
.skr
.sln
.swf
.sql
.tar
.tbb
.tex
.tga
.tgz
.tif  
.tiff
.txt
.vb
.vp 
.wps
.xcr
.xls
.xml
.zip

The virus drops a file called "read_me.txt" to every directory which contains encrypted files. The file contains the following text:

The virus also creates a hidden folder called "wsnpoem" in the Windows system directory, which contains two empty files: "video.dll" and "audio.dll".

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Modify the system registry key value by adding any symbol to the end of the name of the malicious module: Example:

   [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "%System%\userinit.exe, %System%\ntos.exe_"

2. Reboot the computer.
3. Manually delete the files listed below from the Windows system directory:

   ntos.exe

4. If the malicious program has encrypted files on your machine, you can use Kaspersky Lab's free utility to decrypt them. Instructions and the utility itself can be found on the KL technical support site. Make sure you read the instructions carefully. Entering the wrong key could cause files to be irrevocably damaged.
5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).