This trojan was reportedly distributed with a hacked version of
Windows 98. The trojan itself is a DOS EXE file packed with
PKLite and named INSTALAR.EXE. The trojan has several text
strings in its body that are used to be run as batch commands on
certain occasions. The trojan looks for COMSPEC variable and runs
COMMAND.COM with /C option and a specific command. The commands
are not seen as the trojan redirects output to >NUL.
When the trojan is run first time, it copies itself as KEYB.EXE
to root C:\ folder. The trojan tries to execute 2 batch commands
during its initial installation. The first command will copy the
trojan to C:\ and the second will run WB32OFF.EXE file if it
exists (a disguise?). If it doesn't, the 'Bad command or file
name' message appears.
The trojan doesn't modify AUTOEXEC.BAT file to run its copy every
time a system starts. But it gets control on Windows systems
where keyboard configuration commands are present in AUTOEXEC.BAT
(they use KEYB.COM file in \Windows\Command\ folder, but the
trojan being in root C:\ folder gains control instead).
After the first reboot the trojan checks system date, creates
WB32OFF.TXT file in \Windows\System32\ foder and writes current
month and year there as ASCII data, deletes SORT.EXE file, runs
KEYB.COM with Spanish keyboard settings and exits. Then it copies
KEYB.COM as SORT.COM. Further on the trojan will start SORT.COM
and set Spanish keyboard configuration. After some time the
trojan will delete KEYB.COM and its file (KEYB.EXE) from C:\
folder and from then on it will be started from \Windows\Command
folder.
On the 1st of January 2000 the trojan activates its payload. It
deletes all files from disk C:. To speed up the process the
trojan tries to start SMARTDRV first.
