Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
The worm is a PE (Portable Executable) executable file 18432 bytes long packed with UPX file compressor. The unpacked file's size is over 44 kilobytes.
Installation to system
When run, the worm creates a mutex 'DDDDefaceDDDD', copies itself as WINDRV32.EXE to Windows System Directory and creates a startup key for that file in System Registry:
where %WinSysDir% represents Windows System directory.
Additionally, the worm copies itself to the 'Start Menu\Programs\Startup\' folder of a current user as AUTOSTART.EXE file.
Spreading in e-mails
The worm spreads by sending its infected attachment to all e-mail addresses found on an infected computer. The worm looks for e-mail addresses in Windows Address Book (WAB) and in the files with the following extensions:
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
The subject of infected e-mails is selected from the following variants:
The body of infected e-mails is selected from the following variants:
The worm can send itself as an executable attachment or in a ZIP archive with one of the following names:
The worm can also attach a fake virus scan report to its message:
where can be any of the following:
The worm fakes the sender's address. It uses the following list of first names to compose the fake address:
It uses the following list of last names to compose the fake address:
It uses the following list of domain names to compose the fake address:
Downloading a backdoor
The worm downloads a backdoor from one of websites and activates it. The backdoor is known as 'Surila.I' or 'BackDoor-CEB.c' and is downloaded from the following websites:
After September 20th, 2004, 01:18:31 the worm stops working and deletes its file from a hard drive.