Derived From: China
File Size: 79.3 KB (81.245 bytes)
Packer: UPX
Programming: Delphi
Icon: Folder
Type: Worm
B. About Malware
His name was taken from the body which many states Dhoos. The original size of this worm if no packer is 528 KB (540.672 bytes). Presumably this worm started spreading in Indonesia in early January 2011, however, some antivirus already able to identify this worm with its heuristic techniques including PCMAV. However, there are users that their computers infected with worms Dhoos then send samples to us. On computers that have not installed the Asian Language Windows will cause the worm file name as a random character.
C. Companion / file created
* Once activated, this worm will make 4 pieces of the URL shortcut on the desktop and it all leads to the Wesite: http://www.sfc ***. com /
* In every driver there is a file of the worm with the name My Documamts.exe.
* Create DLL file in the folder with the name of Bosc C: \ Program Files \ Common Files \ BOSC.dll. * Create a folder on the "VSPS" on drive C: \ and create a companion with the same name VSPS.exe. * Create a folder with random names like "gqyjwihwwn" and "qloyaagnml" in which there are hosts of the worm with the name "explorer.exe" while the other is the "smss.exe". * Not a startup in the registry, this worm mengcopykan companionnya to the startup folder
C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \ liyfmphhgv.exe.
D. Results Infection
No half-training while also satisfying the worm turns the function of 187 files an application with a specific name to the function "ntsd-d". 187 file names that can not be in the open are:
1. ~. Exe
2. 360rpt.exe
3. 360Safe.exe
4. 360safebox.exe
5. 360sd.exe
6. 360sdrun.exe
7. 360tray.exe
8. 799d.exe
9. adam.exe
10. AgentSvr.exe
11. AntiU.exe
12. AoYun.exe
13. appdllman.exe
14. AppSvc32.exe
15. ArSwp.exe
16. ArSwp2.exe
17. ArSwp3.exe
18. AST.exe
19. atpup.exe
20. auto.exe
21. Autorun.exe
22. autoruns.exe
23. av.exe
24. AvastU3.exe
25. avconsol.exe
26. avgrssvc.exe
27. AvMonitor.exe
28. avp.com
29. avp.exe
30. AvU3Launcher.exe
31. CCenter.exe
32. ccSvcHst.exe
33. cross.exe
34. Discovery.exe
35. DSMain.exe
36. EGHOST.exe
37. FileDsty.exe
38. filmst.exe
39. FTCleanerShell.exe
40. FYFireWall.exe
41. ghost.exe
42. guangd.exe
43. HijackThis.exe
44. IceSword.exe
45. iparmo.exe
46. Iparmor.exe
47. irsetup.exe
48. isPwdSvc.exe
49. jisu.exe
50. kabaload.exe
51. KaScrScn.SCR
52. KASMain.exe
53. KASTask.exe
54. KAV32.exe
55. KAVDX.exe
56. KAVPF.exe
57. KAVPFW.exe
58. KAVSetup.exe
59. kavstart.exe
60. kernelwind32.exe
61. KISLnchr.exe
62. kissvc.exe
63. KMailMon.exe
64. KMFilter.exe
65. knsd.exe
66. knsdave.exe
67. knsdtray.exe
68. KPFW32.exe
69. KPFW32X.exe
70. KPfwSvc.exe
71. KRegEx.exe
72. KRepair.com
73. KsLoader.exe
74. KSWebShield.exe
75. KVCenter.kxp
76. KvDetect.exe
77. KvfwMcl.exe
78. KVMonXP.kxp
79. KVMonXP_1.kxp
80. kvol.exe
81. kvolself.exe
82. KvReport.kxp
83. KVScan.kxp
84. KVSrvXP.exe
85. KVStub.kxp
86. kvupload.exe
87. kvwsc.exe
88. KvXP.kxp
89. KvXP_1.kxp
90. KWatch.exe
91. KWatch9x.exe
92. KWatchX.exe
93. KWSMain.exe
94. kwstray.exe
95. KWSUpd.exe
96. loaddll.exe
97. logogo.exe
98. MagicSet.exe
99. mcconsol.exe
100. mmqczj.exe
101. mmsk.exe
102. Navapsvc.exe
103. Navapw32.exe
104. NAVSetup.exe
105. niu.exe
106. nod32.exe
107. nod32krn.exe
108. nod32kui.exe
109. NPFMntor.exe
110. pagefile.exe
111. pagefile.pif
112. pfserver.exe
113. PFW.exe
114. PFWLiveUpdate.exe
115. qheart.exe
116. QHSET.exe
117. QQDoctor.exe
118. QQDoctorMain.exe
119. QQDoctorRtp.exe
120. QQKav.exe
121. QQPCMgr.exe
122. QQPCRTP.exe
123. QQPCSmashFile.exe
124. QQPCTray.exe
125. QQSC.exe
126. qsetup.exe
127. Ras.exe
128. Rav.exe
129. ravcopy.exe
130. RavMon.exe
131. RavMonD.exe
132. RavStub.exe
133. RavTask.exe
134. RegClean.exe
135. rfwcfg.exe
136. rfwmain.exe
137. rfwProxy.exe
138. rfwsrv.exe
139. RsAgent.exe
140. Rsaupd.exe
141. rsnetsvr.exe
142. RsTray.exe
143. rstrui.exe
144. runiep.exe
145. safeboxTray.exe
146. safelive.exe
147. scan32.exe
148. ScanFrm.exe
149. ScanU3.exe
150. SDGames.exe
151. SelfUpdate.exe
152. servet.exe
153. shcfg32.exe
154. SmartUp.exe
155. sos.exe
156. SREng.exe
157. SREngPS.exe
158. stormii.exe
159. sxgame.exe
160. symlcsvc.exe
161. SysSafe.exe
162. tmp.exe
163. TNT.Exe
164. TrojanDetector.exe
165. Trojanwall.exe
166. TrojDie.kxp
167. TxoMoU.Exe
168. UFO.exe
169. UIHost.exe
170. UmxAgent.exe
171. UmxAttachment.exe
172. UmxCfg.exe
173. UmxFwHlp.exe
174. UmxPol.exe
175. upiea.exe
176. UpLive.exe
177. USBCleaner.exe
178. vsstat.exe
179. wbapp.exe
180. webscanx.exe
181. WoptiClean.exe
182. Wsyscheck.exe
183. XDelBox.exe
184. XP.exe
185. zhudongfangyu.exe
186. zjb.exe
187. zxsweep.exe
Having the ability Rootkits that hide in Explorer.exe.
This is a worm activity seen in Process Explorer:
Because this worm make the user accessing the web with Chinese language, then any open Internet Explorer browser, it will display a warning to install the package "Simplified Chinese" first:
For a flash disk that is connected to the infected computer then all folders will be hidden and replaced with the worm file.
I Hope this content good for you....