Win32/Rovud [Threat Name] go to Threat

Win32/Rovud.B [Threat Variant Name]

Category worm
Size 79360 B
Aliases Net-Worm.Win32.Rovud.b (Kaspersky)
  W32/Rovud.worm (McAfee)
  Win32.HLLW.AntiDurov (Dr.Web)
Short description

The worm sends links to VKontakte.ru users. If the link is clicked a copy of the worm is downloaded.

Installation

When executed, the worm copies itself into the %appdata%\Vkontakte\ folder using the following name:

  • svc.exe

The worm creates the following files:

  • deti.jpg

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "DurovVkon" = "%filepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "DurovVkon" = "%filepath%"

The worm registers itself as a system service using the following name:

  • Durov VKontakte Service
Spreading

The worm sends links to VKontakte.ru users.


If the link is clicked a copy of the worm is downloaded.

Other information

The worm may display the following file: deti.jpg

The worm opens the file using the default image viewer.


If the current system date and time matches certain conditions, the worm attempts to delete all files and folders stored on the available drives.


It avoids those with any of the following strings in their names:

  • ntldr
  • bootmgr

The worm displays a window titled

  • Павел Дуров

that contains the following text:

Работая с "ВКонтакте.РУ" Вы ни разу не повышали свой рейтинг и поэтому мы не получили от Вас прибыли. За это Ваш компьютер будет уничтожен! Если обратитесь в милицию, то сильно пожалеете об этом! С уважением, Павел Дуров.

Please enable Javascript to ensure correct displaying of this content and refresh this page.