You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

DirDel.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

DirDel.A carries out the following actions:

  • It reaches the computer in a file called VENDETTA.EXE and has the icon of a Windows folder to deceive users:

  • When it is run, it replaces gradually the folders of the directories of the affected computer with a copy of itself which have the same name as the folders of this directory.
    This way, if the user tries to run any of these folders, DirDel.Awill be run.
  • It deletes the folders and files located in the replaced folders. Consequently, the affected user would lose all the information of these folders.

 

The images below display the actions carried out by the worm in a mapped drive:

  • The first image shows the mapped drive before the infection:

  • The second image shows how the worm has replaced all the folders with a copy of itself, keeping the name of the original files:

  • Additionally, as it is a mapped drive, it also creates an AUTORUN.INF file, a copy of itself with the name VENDETTA.EXE and a file called VENDETTA.LOG, which displays a message when the user attempts to access any of these folders.
    The message displayed contains the following text in Spanish, which means When they punish you, you have to punish them in the same way as they punished you:
    Cuando te castigan, tienes que castigar del mismo modo a quienes te castigaron.
    Vendetta by C0sm0o0si$ & Falkore

Infection strategy 

DirDel.A creates the following files:

  • WINLOGON.EXE, in the folder $ntuninstallkbt8723182$, created by itself, of the Program Files directory. This file is a copy of the worm.
  • VENDETTA.EXEVENDETTA.LOG and AUTORUN.INF, in the mapped, shared and removable drives.
    - VENDETTA.EXE is a copy of itself.
    - VENDETTA.LOG displays a message whenever the user attempts to access the folders located in these drives.
    - AUTORUN.INF, which ensures that the copy of the worm is run whenever any of these drives is accessed.
    These three files have hidden attribute.

Additionally, it creates a folder called Sistema in the Windows directory.

 

DirDel.A modifies the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,c:\program files\$ntuninstallkbt8723182$\winlogon.exe
    where %sysdir% is the Windows system directory.
    By modifying this entry, DirDel.A ensures that it is run whenever Windows is started.

Means of transmission 

DirDel.A spreads through mapped, shared and removable drives. In order to do so, it creates copies of itself in these drives under the name VENDETTA.EXE.

Additionally, it creates an AUTORUN.INF file in these drives in order to ensure that the worm is run whenever any of them is accessed and the file VENDETTA.LOG which displays a message whenever the user attempts to access any folder located in these files.

Further Details  

DirDel.A is written in the programming language Visual Basic v5. This worm is 43,008 bytes in size and is compressed with UPX.

>