Virus:Win32/PMX.A is a companion virus that attempts to spread via network drives and via the Kazaa peer to peer file sharing network.
Installation
When executed, Virus:Win32/PMX.A copies itself as a read-only hidden file to <system folder>\Rundll32~.exe.
It creates the following registry entry to ensure that it is run upon system startup:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Rundll32"
With data: "<system folder>\Rundll32~.exe /out"
It uses an icon such as the following:
Spreads via…
Network drives as a companion virus
The malware scans the affected system for fixed and network drives and RAM disks and creates a hidden directory named Mouse_MX in the root directory of each of these that it finds.
It may randomly choose to replace a file with a copy of itself. It selects a file with one of the following extensions:
.exe
.mp3
.avi
.mpg
.mov
It moves the original file to the \Mouse_MX folder, and replaces the file in its original location with a copy of itself, using the same filename as the original file.
It avoids replacing files if their pathname contains one of the following strings:
Win
System
Prog_mx
Mouse_mx
If one of these copies of the malware is run, it also attempts to launch the original copy of the file it replaced, by launching a file with the same name as itself from the \Mouse_MX directory.
Peer to Peer file sharing
If the affected system is running Kazaa, Virus:Win32/PMX.A attempts to spread via the Kazaa peer-to-peer file sharing network. If Kazaa already has a directory for shared files, it creates a hidden subdirectory Prog_MX under this and makes multiple copies of itself in this subdirectory.
If there is no shared directory, it instead creates a hidden directory at %windir%\Programy_MX, and makes multiple copies of itself in this directory. It also creates the following registry entry to share the directory’s contents using Kazaa:
Under key: HKCU\Software\Kazaa\LocalContent
Adds value: "Dir0:"
With data: “012345:%windir%\Programy_MX”
The copies may have extra characters appended in order to make them appear a more realistic size. It uses the following filenames:
GTA San Andreas Crack.exe
Norton AntyVirus 2005 full.exe
Mks_vir 2005.exe
Half Life 2 Crack – multiplayer.exe
The Sims 2 crack.exe
Directx10 v2.3 fullversion PL.exe
GaduReader 3.5.exe
Partition Magic 8.6.exe
Partition Magic 9.exe
Half Life 2 dodatek.exe
Roller Coaster Tycoon 3 crack.exe
The Sims 2 - crack na budowanie.exe
ReadKeys - Mks_vir 2005.exe
Additional Information
Virus:Win32/PMX.A creates the following registry entries:
Under key: HKCU\Software\Mouse_MX2
Adds value: Name
With data: "Mouse MX"
Adds value: Version
With data: "1.1"
Adds value: Type
With data: "virus"
Adds value: Country
With data: "Polska"
Adds value: City
With data: "Tarnów"
Adds value: Date
With data: "9.11.2004"
Adds value: Infection
With data: <the current date> (eg "7/2/2009")
Analysis by David Wood
