[Description]
It creates a mutex named [Windows_Alert] in order to verify if the system is already infected.
It shows a message box with a fake warning:
"Windows has detected spyware programs running on your computer.
It is strongly recommended to use special software tools to prevent data loss.
Windows will now download the newest antispyware for you.
Click OK to protect your computer from spyware"
Then it tries to open a connection to http://www.neospa{blocked}celab.com
After 2 minutes (120 sec), it will copy itself in the Windows system folder under the name wincrt.exe
Also it will add the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, Windows Critical Alert
having the value
%WINDIR%\System32\wincrt.exe(%Windir% is usually C:\Windows)
[Clean]
In order to clean the computer, please restart it in Safe Mode and do the following:
- Locate and delete the file:
%Windir%\System32\wincrt.exe- Go to Start, Run, type regedit and press OK.
- Navigate to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-Delete the key:
Windows Critical Alert with the value
%WINDIR%\System32\wincrt.exe
No comments:
Post a Comment