About Virus Worm "Dhoos", and How It Works

Usually malware intend to damage the victim's computer / get certain information, but this is slightly different with a worm named Dhoos this. Although some habits are malware that uses the website to download a specific file, the worm Dhoos only as offering a few products that can be purchased online. Although the website is accessed using the Chinese language.

 A. File Info Name: Dhoos
Derived From: China
File Size: 79.3 KB (81.245 bytes)
Packer: UPX
Programming: Delphi
Icon: Folder
Type: Worm

B. About Malware

His name was taken from the body which many states Dhoos. The original size of this worm if no packer is 528 KB (540.672 bytes). Presumably this worm started spreading in Indonesia in early January 2011, however, some antivirus already able to identify this worm with its heuristic techniques including PCMAV. However, there are users that their computers infected with worms Dhoos then send samples to us. On computers that have not installed the Asian Language Windows will cause the worm file name as a random character. 

C. Companion / file created 
* Once activated, this worm will make 4 pieces of the URL shortcut on the desktop and it all leads to the Wesite: http://www.sfc ***. com / 
* In every driver there is a file of the worm with the name My Documamts.exe. 
* Create DLL file in the folder with the name of Bosc C: \ Program Files \ Common Files \ BOSC.dll. * Create a folder on the "VSPS" on drive C: \ and create a companion with the same name VSPS.exe. * Create a folder with random names like "gqyjwihwwn" and "qloyaagnml" in which there are hosts of the worm with the name "explorer.exe" while the other is the "smss.exe". * Not a startup in the registry, this worm mengcopykan companionnya to the startup folder
   C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \ liyfmphhgv.exe. 


D. Results Infection
No half-training while also satisfying the worm turns the function of 187 files an application with a specific name to the function "ntsd-d". 187 file names that can not be in the open are: 
1. ~. Exe
2. 360rpt.exe  
3. 360Safe.exe  
4. 360safebox.exe  
5. 360sd.exe  
6. 360sdrun.exe  
7. 360tray.exe 
8. 799d.exe 
9. adam.exe  
10. AgentSvr.exe  
11. AntiU.exe  
12. AoYun.exe  
13. appdllman.exe  
14. AppSvc32.exe  
15. ArSwp.exe 
16. ArSwp2.exe  
17. ArSwp3.exe  
18. AST.exe  
19. atpup.exe  
20. auto.exe 
21. Autorun.exe  
22. autoruns.exe  
23. av.exe  
24. AvastU3.exe  
25. avconsol.exe  
26. avgrssvc.exe  
27. AvMonitor.exe  
28. avp.com
29. avp.exe  
30. AvU3Launcher.exe  
31. CCenter.exe  
32. ccSvcHst.exe  
33. cross.exe  
34. Discovery.exe 
35. DSMain.exe  
36. EGHOST.exe 
37. FileDsty.exe  
38. filmst.exe  
39. FTCleanerShell.exe 
40. FYFireWall.exe  
41. ghost.exe  
42. guangd.exe  
43. HijackThis.exe
44. IceSword.exe  
45. iparmo.exe  
46. Iparmor.exe  
47. irsetup.exe  
48. isPwdSvc.exe  
49. jisu.exe  
50. kabaload.exe
51. KaScrScn.SCR  
52. KASMain.exe  
53. KASTask.exe  
54. KAV32.exe  
55. KAVDX.exe 
 56. KAVPF.exe  
57. KAVPFW.exe  
58. KAVSetup.exe  
59. kavstart.exe  
60. kernelwind32.exe  
61. KISLnchr.exe  
62. kissvc.exe  
63. KMailMon.exe 
 64. KMFilter.exe 
 65. knsd.exe  
66. knsdave.exe  
67. knsdtray.exe  
68. KPFW32.exe  
69. KPFW32X.exe  
70. KPfwSvc.exe 
71. KRegEx.exe  
72. KRepair.com  
73. KsLoader.exe
74. KSWebShield.exe  
75. KVCenter.kxp  
76. KvDetect.exe  
77. KvfwMcl.exe 
 78. KVMonXP.kxp  
79. KVMonXP_1.kxp  
80. kvol.exe  
81. kvolself.exe  
82. KvReport.kxp  
83. KVScan.kxp  
84. KVSrvXP.exe 
 85. KVStub.kxp  
86. kvupload.exe 
87. kvwsc.exe
88. KvXP.kxp 
 89. KvXP_1.kxp  
90. KWatch.exe  
91. KWatch9x.exe
92. KWatchX.exe 
 93. KWSMain.exe  
94. kwstray.exe  
95. KWSUpd.exe 
 96. loaddll.exe  
97. logogo.exe  
98. MagicSet.exe  
99. mcconsol.exe  
100. mmqczj.exe  
101. mmsk.exe  
102. Navapsvc.exe  
103. Navapw32.exe  
104. NAVSetup.exe  
105. niu.exe  
106. nod32.exe  
107. nod32krn.exe  
108. nod32kui.exe  
109. NPFMntor.exe
110. pagefile.exe
111. pagefile.pif  
112. pfserver.exe  
113. PFW.exe  
114. PFWLiveUpdate.exe  
115. qheart.exe  
116. QHSET.exe  
117. QQDoctor.exe  
118. QQDoctorMain.exe  
119. QQDoctorRtp.exe  
120. QQKav.exe  
121. QQPCMgr.exe 
122. QQPCRTP.exe  
123. QQPCSmashFile.exe 
124. QQPCTray.exe 
125. QQSC.exe  
126. qsetup.exe 
127. Ras.exe  
128. Rav.exe  
129. ravcopy.exe  
130. RavMon.exe 
131. RavMonD.exe  
132. RavStub.exe  
133. RavTask.exe  
134. RegClean.exe  
135. rfwcfg.exe  
136. rfwmain.exe  
137. rfwProxy.exe  
138. rfwsrv.exe  
139. RsAgent.exe 
140. Rsaupd.exe  
141. rsnetsvr.exe  
142. RsTray.exe  
143. rstrui.exe  
144. runiep.exe  
145. safeboxTray.exe  
146. safelive.exe 
147. scan32.exe  
148. ScanFrm.exe  
149. ScanU3.exe  
150. SDGames.exe
151. SelfUpdate.exe  
152. servet.exe  
153. shcfg32.exe  
154. SmartUp.exe 
155. sos.exe  
156. SREng.exe
157. SREngPS.exe
158. stormii.exe  
159. sxgame.exe  
160. symlcsvc.exe  
161. SysSafe.exe  
162. tmp.exe  
163. TNT.Exe  
164. TrojanDetector.exe  
165. Trojanwall.exe  
166. TrojDie.kxp  
167. TxoMoU.Exe  
168. UFO.exe  
169. UIHost.exe  
170. UmxAgent.exe 
171. UmxAttachment.exe  
172. UmxCfg.exe 
173. UmxFwHlp.exe  
174. UmxPol.exe  
175. upiea.exe  
176. UpLive.exe  
177. USBCleaner.exe 
178. vsstat.exe  
179. wbapp.exe  
180. webscanx.exe  
181. WoptiClean.exe  
182. Wsyscheck.exe  
183. XDelBox.exe  
184. XP.exe  
185. zhudongfangyu.exe  
186. zjb.exe  
187. zxsweep.exe 

 Having the ability Rootkits that hide in Explorer.exe.

This is a worm activity seen in Process Explorer:

Because this worm make the user accessing the web with Chinese language, then any open Internet Explorer browser, it will display a warning to install the package "Simplified Chinese" first:
For a flash disk that is connected to the infected computer then all folders will be hidden and replaced with the worm file. 

I Hope this content good for you....