Hi folks,
Also consider this info:
For an in-depth analysis of one of these variants:
http://www.threatexpert.com/report.aspx?md5=b1afa9c453d42cf7d533587c8f22503bdelete files:
%windir%\17PHolmes1001186.exe
%programfilescommondir%\system\MSIWA32.exe
\boot.exe
delete registry keys:
INTEGRATED WINDOWS AUTHENTICATION
INTEGRATED WINDOWS AUTHENTICATION
INTEGRATED WINDOWS AUTHENTICATION
LEGACY_INTEGRATED_WINDOWS_AUTHENTICATION
LEGACY_INTEGRATED_WINDOWS_AUTHENTICATION
LEGACY_INTEGRATED_WINDOWS_AUTHENTICATION
Installation
Win32/Virut creates a mutex named L0ar or LaOS (or similar)
which it uses to prevent multiple copies of itself from running on the host system.
Win32/Virut disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE.
The injected code patches sfc_os.dll in memory
which in turn allows the virus to infect files protected by SFP.
Win32/Virut injects code into other processes
and this code will infect files with extensions .EXE and .SCR accessed by those processes.
Win32/Virut avoids infecting files whose names contain any of the following:
# WINC
# WCUN
# WC32
# PSTO
polonus