Home / malware W32.Belvira
First posted on 24 October 2015.
Source: SymantecAliases :
There are no other names known for W32.Belvira.
Explanation :
When the virus is executed, it creates the following files: %Windir%\svchost.exe%Windir%\system32\freizer.exe%System%\smrss.exe
The virus may modify the following file:
%System%\windows.ini
Next, the virus creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"freizer" = "%Windir%\System32\freizer.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"svchost" = "%Windir%\system32\svchost.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe smrss.exe" The virus then scans the C: and D: drives and deletes files with the following extensions: .xlsx.xls.txt.jpg.jpeg.docx.doc.ppt.3gp
The virus propagates by scanning the C: and D: drives and infecting files with the following extensions: .exe.scrLast update 24 October 2015