• Virus is 32bit, with a size of 28,672 bytes
  • Virus icon is that of a standard 32bit executable
  • Virus attempts to connect to and update itself however, the hard-coded URL is no longer available
  • Virus copies itself to the Windows folder as ScrSvr.exe and modifies the registry to load at Windows startup -

    ScrSvr = Windows\ScrSvr.exe

  • The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet.

    • The virus will scan IP addresses within the same domain for other shares using NetBIOS via TCP port 137, seeking systems with open shares.
    • If a system is found with an open share, the virus will copy itself to that machine in the Windows folder as ScrSvr.exe.
    • The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup.