Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
Effects
BckPatcher.C carries out the following actions:
- When it is run, it displays the following screen:
Although the user clicks OK, the message appears once and again, leaving the computer temporarily blocked. - It opens the CD/DVD tray.
- It modifies the Desktop wallpaper and replaces it with the following image:
- It modifies the icons of the folders located in the root directory of the drives and the wallpaper of the Windows Explorer:
- It displays a message that contains some symbols when Windows is starting up:
Actually, they are Arabic characters. However, if the computer has not the Arabic character map, these symbols are displayed. - When files with certain extensions are run, the worm is run instead of the application associated with such extensions.
Some of the affected extensions are:
- BMP, GIF, JPEG, JPG (pictures)
- DLL (Dynamic Link Library)
- DOC (Word files)
- RAR (compressed files)
- EXE (executable files)
Infection strategy
BckPatcher.C creates the following files:
- PHOTO1.EXE, in the folder photo, created by itself, of the Documents and Settings directory.
- ME.ICO and ME.BMP, in the root directory of all the drives. These files belong respectively to the icon and the wallpaper used by the worm.
BckPatcher.C modifies the following entries from the Windows Registry, so that the worm is run instead of the applications associated with each entry. In order to do so, it replaces the value of the following entries with VIRUS kiss:
- HKEY_CLASSES_ROOT\.application
(Default) = Application.Manifest - HKEY_CLASSES_ROOT\.bat
(Default) = batfile - HKEY_CLASSES_ROOT\.bmp
(Default) = Paint.Picture - HKEY_CLASSES_ROOT\.dll
(Default) = dllfile - HKEY_CLASSES_ROOT\.doc
(Default) = Word.Document.8 - HKEY_CLASSES_ROOT\.gif
(Default) = giffile - HKEY_CLASSES_ROOT\.exe
(Default) = exefile - HKEY_CLASSES_ROOT\.inf
(Default) = inffile - HKEY_CLASSES_ROOT\.ini
(Default) = inifile - HKEY_CLASSES_ROOT\.jpeg
(Default) = jpegfile - HKEY_CLASSES_ROOT\.jpg
(Default) = jpegfile - HKEY_CLASSES_ROOT\.key
(Default) = keyfile - HKEY_CLASSES_ROOT\.lnk
(Default) = lnkfile - HKEY_CLASSES_ROOT\.log
(Default) = txtfile - HKEY_CLASSES_ROOT\.mdb
(Default) = Access.Application.8 - HKEY_CLASSES_ROOT\.mpeg
(Default) = mpegfile - HKEY_CLASSES_ROOT\.mpg
(Default) = mpegfile - HKEY_CLASSES_ROOT\.msc
(Default) = MSCFile - HKEY_CLASSES_ROOT\.ocx
(Default) = ocxfile - HKEY_CLASSES_ROOT\.rar
(Default) = WinRAR - HKEY_CLASSES_ROOT\.reg
(Default) = regfile - HKEY_CLASSES_ROOT\.sys
(Default) = sysfile - HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
(Default) = "C:\Program Files\Internet Explorer\iexplore.exe" %1 - HKEY_CLASSES_ROOT\Directory
(Default) = File Folder - HKEY_CLASSES_ROOT\dllfile
(Default) = Application Extension
Additionally, BckPatcher.C modifies the following entries from the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = Virus Kiss 2009 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText = (data too large: 422 bytes)
By modifying these entries, BckPatcher.C displays the message mentioned in the previous section whenever Windows is started.
Means of transmission
BckPatcher.C spreads via the system drives: mapped, shared and removable. It creates a copy of itself with the name SEXYGIRLS.EXE in the root directory of all the drives. Additionally, it creates an AUTORUN.INF file in those drives, so that the copy of itself is automatically run whenever any of them is accessed.
When a computer gets infected, it sends an email message to its creator informing them that a computer has been infected.
Further Details
BckPatcher.C is written in the programming language Visual Basic v6. This worm is 847,872 bytes in size.