SecurityHome.eu Win32.Rays.H

Home / malware PDF

Win32.Rays.H

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Rays.H is also known as Rays.
Explanation :
Win32.Rays.H was written in Visual Basic 6.0. The virus has a single window (witch it hides by moving it outside the screen coordinates). An internal timer perform the following actions every one seconds:

a) It creates the following files on every local disk :

Ø Windows.exe and ghost. Bat. Those files are copy of the original file

Ø NetHood.htm a script code that runs windows.exe

Ø Folder.htt (the same script code as NetHood.htm), except that it is marked as a read-only and hidden. Windows uses this file when opening a folder. That is why, whenever the user uses explorer.exe to view content of a folder this script will be executed first (witch means that the virus will be executed).

Ø desktop.ini ( a hidden and read-only file )

b) It copies itself on every subfolder with the same name as the folder. It also creates a folder.htt in every subfolder. (In a folder named MyFolder, it will be a myfolder.exe and a folder.htt).

c) It also copies itself in %WINDIR%/fonts as a random file name (58dd2.exe)

d) It modifies HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurentVersionRun, key=”TempCom”, value = “%WINDIR%/fonts/<rundomname>.exe” witch will automatically run virus when Windows starts.

The virus is spreading thru floppy disks and sharing (mainly because of folder.htt that is executed whenever a user opens that directory from explorer.exe)
Last update 21 November 2011

TOP

Malware :

Last 20