Effects BotVoice.A carries out the following actions: - Once it is run, the following message is heard repeatedly:
You have been infected I repeat You have been infected and your system files has been deleted. Sorry. Have a Nice Day and bye bye
If you want to listen to the message that BotVoice.A is continuously repeating, click here. - It prevents users from working with the computer properly used, as it does not allow the files with the following extensions from being run:
BAT
COM
EXE
HTML
JS
MP3
PIF
VBS - It disables the following applications:
- Task Manager.
- Windows Registry Editor.
Infection strategy BotVoice.A deletes the following files: - all the files from the C: drive until it finds any that cannot be deleted, either because it is protected or because it is being used.
- the shortcuts (LNK extension) from the Desktop and My Documents.
BotVoice.A creates the following entries in the Windows Registry: - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 01, 00, 00, 00
It disables the Task Manager. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableRegistryTools = 01, 00, 00, 00
It disables the Windows Registry Editor.
BotVoice.A modifies the following entries from the Windows Registry: - HKEY_CLASSES_ROOT\ batfile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ batfile\ shell\ open\ command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ comfile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ comfile\ shell\ open\ command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ htmlfile\ shell\ open\ command
(Default) = C:\Program Files\Internet Explorer\iexplore.exe -nohome
It changes this entry to:
HKEY_CLASSES_ROOT\ htmlfile\ shell\ open\ command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ JSFile\ Shell\ Open\ Command
(Default) = %SystemRoot%\System32\WScript.exe "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ JSFile\ Shell\ Open\ Command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ mp3file\ shell\ open\ command
(Default) = C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
It changes this entry to:
HKEY_CLASSES_ROOT\ mp3file\ shell\ open\ command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ piffile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ piffile\ shell\ open\ command
(Default) = Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA :: - HKEY_CLASSES_ROOT\ VBSFile\ Shell\ Open\ Command
(Default) = %SystemRoot%\System32\WScript.exe "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ VBSFile\ Shell\ Open\ Command
(Default) = :: Win32\Hira.A - eCORE[GEDZAC] - I AlwAyS WilL LoVE YoU BeA ::
By modifying these entries, BotVoice.A prevents the files with the extensions below from being run:
BAT, COM, EXE, HTML, JS, MP3, PIF and VBS.
Means of transmission BotVoice.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc. Further Details BotVoice.A is written in the programming language Visual Basic v5. This Trojan is 20,992 bytes in size and it is compressed with AsPack. |