Effects
ArmyMovement.A carries out the following actions:
- It overwrites with 0 all the files with the extensions below that it finds in the C: drive:
DOC
HTM
JPG
PPT
TIF
XLS
ZIP
This way, the information contained in the original files would be lost. - It sends an hoax with the following characteristics written in Turkish:
Subject:
Tüm Askeri ve Sivil Personel Maaslarina Hükümetten % 50 Sok ZAM
The translation of the subject is the following:
The Turkish government has decided to increase soldiers and civil servants' wages by 50 percent
Message:
Subay ve Astsubay Maaslarina Hükümetten % 50 Sok ZAM!!!!
Kim kaç lira ek zam alacak.Iste hesaplama oranlari. (Ek'teki dosyayi inceleyiniz)
(ZULFIKAR DOGAN, Ankara, Milliyet)
Milli Savunma Bakanligi'nin Türk Silahli Kuvvetleri (TSK) mensuplarinin maaslarinda yüzde 50
iyilestirme öngören kararnamesi dün gece kabul edildi.
Milli Savunma Bakanligi, hazirladigi "iyilestirme" kararnamesini hükümetin gündemine getirdi.
TBMM Genel Kurulu'nda önceki gece kabul edilen yetki yasasi ile TSK Personelinin mali,
idari ve sosyal haklarinda kanun hükmünde kararnamelerle (KHK) iyilestirme yapilmasi karara
baglandi. Cumhurbaskaninin bu konudaki yetki yasasini onaylamasinin ardindan, ilk planda
Subay ve Astsubaylarin maas ve sosyal haklarinda iyilestirmelere gidilecek.
Hükümetin lojman, kamu görevlilerinin ögrenim gören çocuklari için egitim yardimi, kira ve aile
ödeneklerinin iyilestirilmesi gibi konularda da ayrintili çalismalar baslattigi, ancak sosyal
haklardaki iyilestirmelerin daha uzun vadeli planlandigi ögrenildi.
Kim Ne kadar alacak? Ek'teki dokumanda bulabilirsiniz... - It sends this hoax to the affected user's contact list of Outlook.
- It is designed to modify the message that is displayed when the computer is started to the following:
Format All Disks
This message is a fake, its main aim is to frighten users. - Due to the modifications it carries out, it could prevent the affected computer from being restarted.
Infection strategy
ArmyMovement.A creates the following files:
- RUNDLL32.EXE in the Windows system directory. This file is a copy of the Trojan.
- BOOT, in the root directory of the C: drive. This file is a copy of the file BOOT.INI modified by ArmyMovement.A.
- TN, in the root directory of the C: drive, which is a copy of the file NTLDR.
Additionally, it overwrites the following files of the root directory of the C: drive:
- BOOT.INI. It adds the following string in order to display the message Fomat All Disks when the computer is started:
C:\boot.ini, [operating systems] "multi(1)disk(1)rdisk(1)partition(2)\SYSTEMS"
Value: "Format All Disks..." /fastdetect
and adds the following line so that the message lasts longer on the screen:
C:\boot.ini, [boot loader] "timeout"
Old value: 30
New value: 30000 - NTLDR. It overwrites this file with 0.
ArmyMovement.A searches in the C: drive all the files that have any of the extensions below, and overwrites them with 0, keeping the same size as the original files:
DOC, HTM, JPG, PPT, TIF, XLS and ZIP.
ArmyMovement.A creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
eTrust = %sysdir%\RealTimeMon.exe
where %sysdir% is the Windows system directory.
By creating this entry, ArmyMovement.A ensures that it is run whenever Windows is started.
Means of transmission
ArmyMovement.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
ArmyMovement.A is written in the programming language Delphi v6. This Trojan is 291,840 bytes in size.