SecurityHome.eu Virus:W32/IndoVirus.A

Home / malware PDF

Virus:W32/IndoVirus.A

First posted on 06 June 2007.
Source: SecurityHome
Aliases :
Virus:W32/IndoVirus.A is also known as Virus.Win32.IndoVirus.a.
Explanation :
The IndoVirus.A virus creates multiple copies of itself on all available drives. It pretends to be a folder by hiding the original folder and copying its file with the name of a hidden folder and displays a folder-like icon.

Installation to system

Upon execution, the virus drops a copy of itself with a random name to Windows and Windows system directories:

%windir%system32[random].com
%windir%[random].scr
%temp%[random].bat

It also drops the following files, which are copies of the virus:

%userprofile%My DocumentsMy Music.exe
%userprofile%My DocumentsMy Pictures.exe

The malware uses an icon of a folder, it drops a copy of itself using the name of all existing folders into the root directory of all drives in an infected machine and then it hides the original folders. So, this malware pretends to be a valid folder on a hard drive.

The virus modifies the Registry so that a user can not change Explorer's option to "Show all hidden files or folders". To check that, it is enough to open Windows Explorer, click on Tools menu and choose Folder Options. And then to click on View tab. The "Show all hidden files or folders" option is not available after the infection. The following Registry entries are modified:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL
the 'Type' is set to blank (the normal value of this is the string 'radio')
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
the 'ShowSuperHidden' is set to 00000000
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHideFileExt
the 'UncheckedValue' is set to 00000001
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL
the 'CheckedValue' is set to 00000000
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden
the 'UncheckedValue' is set to 00000001

Autostart

The virus creates the following startup Registry entries for its files:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Zul_Cinta_Anick = C:WINDOWSsystem32[random].com
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionRun
cintaku = C:WINDOWS[random].scr
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Explorer.exe = C:WINDOWS[random].scr
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
Explorer.exe = C:DOCUME~1[user]LOCALS~1Temp[random].bat

Payload

The virus disables the Windows Task Manager and modifies the following Registry entries:

HKLMSOFTWAREClassesexefile
(default) = File Folder (the default value is 'Application')
HKLMSOFTWAREClassesatfile
(default) = Kabatia (the default value is 'MS-DOS Batch file')
HKLMSOFTWAREClassescomfile
(default) = Demi Allah Zul cinta kamu Anick (the default value is 'MS-DOS Application')
translation in english: Swear to God, Zul loves you Anick

Last update 06 June 2007

TOP

Virus:W32/IndoVirus.A

Aliases :

Explanation :

Malware :

Family: