File System ChangesAttention: %windir% represents the default Windows directory.
Creates these files:
• %windir%\system32\dx6vcl.dll
• %windir%\system32\notepod.exe
• %windir%\system32\disk.ico
• %windir%\system32\xtemp1.exe
• %windir%\system32\xtemp2.exe
Replaces the following file with a copy of itself:
• %windir%\system32\rsvp.exe
Note: The file called
rsvp.exe is a Windows system file. Deletion of the malware file during disinfection will require the repair of the system file.
Creates these directories:
• %windir%\Web\webpf
• %windir%\Web\webdc
• %windir%\Web\webpt
• %windir%\Web\webhp
• %windir%\Web\webxs
Process ChangesCreates these processes:
• %windir%\system32\rsvp.exe
Uses these temporary processes:
• %windir%\system32\xtemp1.exe
• %windir%\system32\xtemp2.exe
These modules were loaded into other processes:
• %windir%\system32\dx6vcl.dll
Loaded into %windir%\system32\svchost.exe
Creates these mutexes:
• c:!windows!system32!config!systemprofile
!local settings!temporary internet files!content.ie5!
• c:!windows!system32!config!systemprofile!cookies!
• c:!windows!system32!config!systemprofile!local settings!history!history.ie5!
Network ConnectionsAttempts to download files from:
• http://www.why001.com/[Removed].exe
• http://www.koreaara.com/down/[Removed].rar
• http://63.245.209.10/[Removed].dat
Registry ModificationsSets these values:
• HKLM\System\CurrentControlSet\Control\Session Manager\SFC
ProgramFilesDir = C:\Program Files\x174
• HKLM\System\CurrentControlSet\Control\Session Manager\SFC
CommonFilesDir = C:\Program Files\Common FilesurrentControlSet
\Control\Session Manager
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt
Application = notepod.exe
• HKLM\System\CurrentControlSet\Services\RSVP
Type = 00000010
• HKLM\System\CurrentControlSet\Services\RSVP
Start = 00000002
• HKLM\System\CurrentControlSet\Services\RSVP
ErrorControl = 00000000
• HKCU\Software\Microsoft\Windows Script\Settings
JITDebug = 00000000
Creates these keys:
• HKLM\Software\Classes\Applications\notepod.exe
• HKLM\Software\Classes\Applications\notepod.exe\shell
• HKLM\Software\Classes\Applications\notepod.exe\shell\open
• HKLM\Software\Classes\Applications\notepod.exe\shell\open\command
• HKCU\Software\Microsoft\Windows Script
• HKCU\Software\Microsoft\Windows Script\Setting
Additional DetailsNotepod:
Agent.ICF creates a file called
notepod.exe and sets a registry value to associate .TXT files with it. If the system user opens a text file notepod.exe will be launched, which in turn calls on notepad.exe. Notepad.exe is a legitimate Windows file.
The launching of notepod.exe will once again execute the trojan-downloader mechanisms.
Automatic Updates:
Agent.ICF attempts to delete the Automatic Updates service. The Automatic Update service enables the download and installation of Windows updates.
Autorun Features:
Agent.ICF also contains autorun features. See the
Worm/W32:Autorun description for additional details. The autorun.inf file will copy to the root of a removable drive. Under a folder called recycled there is a file called
cleardisk.pif. The PIF file a copy of the trojan-downloader.