Virus:Win32/Huhk.7573

Win32/Huhk.7573 is a cavity virus that infects a host by placing parts of itself in blocks of zeros found within the host.

When executed the virus decrypts and reconstructs itself in memory. The virus then attempts to infect "Explorer.exe". It does this by initially disabling System Restore and copying <system folder>\dllcache\Explorer.exe to the %Temp% directory. It then infects Explorer.exe and copies it back to the Windows directory and <system folder>\dllcache.
 
When the infected Explorer.exe is executed and the virus gains control, the virus hooks the CreateProcessW API to redirect to its own code. The virus also checks the process name and infects the associated file if appropriate.

File infection
The virus searches through any available removable drives and connected network resources for suitable files to infect.
 
The virus avoids infecting files with the following filenames or associated process names:

 

readbook.exe
qq.exe
icesword.exe
aspack.exe
iris.exe
iexplore.exe
navapw32.exe
navapsvc.exe
nmain.exe
navw32.exe
kvfw.exe
kavsvcui.exe
kavpfw.exe
kav32.exe
kvxp.kvxp.kxp
kvsrvxp.exe
kvmonxp.kxp
kvwsc.exe
kavsvc.exe
kwatchui.exe
ravmond.exe
ravmon.exe
ravtimer.exe
rising.exe
rav.exe
ravmon.exe
ravtimer.exe
iparmor.exe
trojanhunter.exe
thguard.exe
pfw.exe
eghost.exe
mailmon.exe
 
The virus also avoids infecting files that contain the following strings in their paths:

 

windows
winnt
system32
system
dllcache

The virus hooks the "connect" API to redirect to its own code, and attempts to contact the domain 'vampire009tw.c0m.st' to download and execute a file.

The virus may also contact the domain 'c28.statcounter.com' presumably to track its infection rate.