Virus

W32/MSInit.A

Analysis

  • Virus is 32bit, with a UPX compressed size of 22,016 bytes
  • When first executed, virus will copy itself as "dnetc.exe" to the Windows\System folder.
  • Virus will modify the registry in order to load at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    msinit = C:\Windows\System\dnetc.exe -hide -install

  • Virus will seek machines which are connected to the network via NetBIOS and attempt to connect to systems which have a full system share available -

    • machines found will be targets for the virus, and the virus will copy itself to that system and modify the WIN.INI to load the virus at next Windows startup