The worm may arrive as an email attachment.
Once executed, the worm creates the following folders:
* C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard
* C:\Documents and Settings\All Users\Application Data\PolariSys
It searches all folders on all mapped, fixed and removable drives and copies itself to those folders in the following file name format:
[FOLDER NAME].exe
Note: At the time of writing, the following files with the [FOLDER NAME].exe format have been observed:
* C:\Windows.exe
* C:\Program Files.exe
It then copies itself as the following files:
* %System%\hlpsvc1.exe
* %System%\hlpsvc2.exe
* %SystemDrive%\Read1st!.exe
* %SystemDrive%\goats.exe
* %Windir%\Classified.exe
* %Windir%\system.exe
* %Windir%\lsass.exe
* %UserProfile%\My Documents\Classified.exe
* C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
* C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe
The worm creates the following file:
%Windir%\shutdown.dll
It also creates the following file so that it runs every time Windows starts:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Classified.exe
The worm creates the following registry entries so that it runs every time Windows starts:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinSys" = "%Windir%\system.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LSAShell" = "%Windir%\lsass.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SessionMngr" = "C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe \"C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe\"
It modifies the following registry entry to disable Windows Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
It then modifies the following registry entry to disable System Restore:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"
The worm also modifies the following registry entries in to hide its presence on the compromised computer:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "1"
* HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
* HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
* HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
* HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"SuperHidden" = "1"
The worm attempts to lower security settings by disabling specific security-related applications.
The worm hides file extensions and folders and copies itself as the folder name using the Windows folder icon. If the icon is clicked, it executes the worm. The worm also launches the genuine folder in a separate Window to infect files in it.
The worm spreads to all network drives by copying itself as the following files:
* %DriveLetter%\Classified.exe
* %DriveLetter%\Read1st!.exe
It creates the following files so that it executes whenever the drives are accessed:
* %DriveLetter%\autorun.inf
* %SystemDrive%\autorun.inf
The worm may attempt to send emails.
OR JUST DOWNLOAD THIS SUPER EASY TO USE PROGRAM
download it here http://www.filefront.com/15632337/Class-X.exe/
copy the link
password for the file is subatomica
just press enter.
