This virus usually arrives as UPX-compressed code prepended to a host file. When the infected file is run, this virus begins its infection routine.
After decompressing its code, it locates the shared folder of the KaZaa file-sharing program by checking the following registry entry:
If it does not find the registry entry, it checks another entry, �DownloadDir�, from the same registry key to obtain the Kazaa shared folder.
It also locates the Internet Explorer download directory by checking the following registry entry:
This virus then locates all .EXE files in the Internet Explorer download directory and the Kazaa shared folder and infects the files
as they are found. It infects by prepending its UPX-compressed code to the host files.
If none of the target folders exist, it simply terminates.
This virus contains a bug that causes it to corrupt some files during infection.
This virus attempts to delete uncommon files, such as 010101.DAT and Hanta, from the Windows folder. These files are likely non-existent on most systems.
The following text strings can be found in this virus' body:
HANTA-Vjoiner ,si que lo hice yo,
eso va para los
oritos de PER, en especial a Machado, que no tiene la
n necesaria para responder un E-
y para los que se enojaron con CPL, jeje, pa que ocupan Hotmail!!!,
teniendo miles de mailbox gratis y con mas espacio.
la Heuristica y contra una
cnica antigua JoJOjOO-Escrito en Delphi 6!-