W32/Bugsoft

description-logoAnalysis

  • Virus is 32bit with a compressed file size of 28,160 bytes
  • Virus was coded using Visual Basic 6 and requires MSVBVM60.DLL in order to be a threat; virus also requires that Windows is installed to the path "C:\Windows" due to hard-coded file copy instructions
  • If the virus is run, it may display some dialogue boxes with the following information -

    dialogue box 1 (may be displayed as many as three times)

    ------------------
    FORMAT DISK!
    VIRUS!
    [OK]
    ------------------

    dialogue box 2

    -------------------------------------------------------------------
    Hahahahahahaha! SortCut Killer Virus In You System!
    I LOVE YOU!
    Virus Name: Short Cut Killer.
    Version: 1.02
    Properties: Memory Resident,Macro,Worm Like Characterestics.
    Native Place: India
    Effecting: I Cant Tell You Just See It!.
    Activated: When You Create Any ShortCut In Desktop.
    Main Problem: Swallow the System Core Memory.
    CANT REMOVE ME FROM YOUR SYTEM!!!!!!!!!!
    Wrtten in the Language: Visual Basic
    Email Spreading : true

    HELOW MY DEAR FRIEND,
    i AM sORRY tO sAY tHAT yOUR sYSTEM gOT
    eFFECTED bY sHORTcUT kILLER vIRUS bY mE .i AM a
    sTUDENT oF bSC.cOMPUTER sCIENCE.aND i gOT
    mANY cHEATING fROM mY dEVIL fRIENDS.sO i WANT
    tO sPREAD tHIS mRSSAGE ovERALL wORLD.that
    dONT cHEATE fRIENDS oK
    -------------------------------------------------------------------

  • The virus will write itself and two other files to the following locations -

    c:\WINDOWS\game.exe (32,768 bytes)
    c:\WINDOWS\love.exe (32,768 bytes)
    c:\WINDOWS\Start Menu\Programs\StartUp\love.exe (32,768 bytes)
    c:\WINDOWS\jk.bat (3,101 bytes)
    c:\WINDOWS\mail.vbs (636 bytes)

  • The file "mail.vbs" contains broken code with intentions to send an email with the virus as an attachment in the following format -

    Subject: My Sexy Movie DownLoader Here!
    Body:
    Hey Sexy You Wanna See My selfFucking Movie?
    Attachment: love.exe

  • The virus will launch the Batch script file "jk.bat"

  • Jk.bat will attempt to move Norton program files into the Recycle Bin -

    c:\progra~1\norton~1 => c:\recycled
    c:\progra~1\norton~2 => c:\recycled

  • Jk.bat will attempt to move other files into the Recycle Bin -

    c:\mydocu~1\mypict~1\*.jpg => c:\recycled
    c:\windows\*.bmp => c:\recycled
    c:\windows\desktop\*.* => c:\recycled

  • The virus will replace existing files on the system with a copy itself by the same -

    c:\WINDOWS\CALC.EXE
    c:\WINDOWS\NOTEPAD.EXE
    c:\WINDOWS\PBRUSH.EXE
    c:\WINDOWS\COMMAND\EDIT.COM
    c:\WINDOWS\COMMAND\SCANDISK.EXE
    c:\WINDOWS\COMMAND\SCANREG.EXE
    c:\WINDOWS\COMMAND\SYS.COM

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR