ExeFolder.E
Threat LevelDamageDistribution

Effects 

ExeFolder.E carries out the following actions:

• It reaches the computer in a file which has the icon of a folder in order to deceive users and make them think it is an inoffensive file:
  
  
• When it is run, it displays a message at the top of the screen, as can be seen in the following image:
  
  
• This message changes from time to time and messages like the following are displayed:
  
  
• It modifies the window title of any folder or program opened by the user and changes it to similar texts like those mentioned before:
  
  
• It creates copies of itself in different folders of the C: drive with the same name as the folders and with the icon of a folder, as can be seen in the following example:
  
  
  
  Additionally, as can be seen, it has also modifies the window title.

Infection strategy 

ExeFolder.E creates copies of itself in different folders with the same name as these files. The following are some examples:

• NEW FOLDER.EXE, in the root directory of the C: drive.
• DOCUMENTS AND SETTINGS.EXE, in the path C:\Documents and Settings.
• MIRC.EXE, in the path C:\mIRC.

These files have the icon of a folder and the extension is hidden, so they do not seem to be executable files.

ExeFolder.E modifies the following entry in the Windows Registry, in order to hide the extensions of the files and this way the worm can pass itself off as a folder:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  HideFileExt = 0
  It changes this entry to:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  HideFileExt = 1

Means of transmission 

ExeFolder.E spreads making copies of itself in different folders of the computer using the same names as these folders.

Additionally, it is also copied with the name NEWFOLDER.EXE in the removable drives connected to the computer, like USB keys.

Further Details  

ExeFolder.E is 110,592 bytes in size and is compressed with UPX.