|
|
|
VIRUS NAME
: Portacopo
Trojan
Characteristics
This Trojan
may have been sent to others within the P2P (Peer-to-peer) community. The file
name of this Trojan is "Portacopos.exe" which is Portuguese for "cup
holder" - a reference to the CD tray. This in itself is a joke of sorts,
calling the CD tray a cup holder, and may assist in the allure of users wanting
to run this Trojan.
This Trojan was written in Delphi and has an icon similar to Shockwave applications.
When this Trojan is first executed, it will display a Windows dialogue box like
this one: "MULTIFUNCIONAL"
Clicking on the [Utilizar] button will attempt to open the CD tray. Next another
dialogue box is displayed, like this one: "PORTA COPOS"
Clicking the [OK] button will display a dialogue which will close the CD tray
if the button is clicked: "MULTIFUNCIONAL"
While these message boxes are being displayed, the Trojan copies itself as "WSYS.EXE"
to the %Windir% folder. Next, it will modify the registry to load at Windows
startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\BOOT Verify = (%Windir%)\WSys.exe /plus
Portacopos will also create
a registry entry where it tracks the number of times that it was run:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\
CountStart=1
This number is incremented
every time this Trojan is executed.
Symptoms
Creation of the file WSYS.EXE
in the Windows folder.
Modification of the registry
to load this Trojan at Windows startup, as mentioned in the Characteristics
section.
Deletion of critical files
after starting Windows, on Portuguese systems.
Method
Of Infection
The Portacopos Trojan is created to hamper Portuguese Windows systems. On these
systems, if the Trojan is run, it will copy itself as "WSYS.EXE" to
the %Windir% folder. Next, it will modify the registry to load at Windows startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\BOOT Verify = (%Windir%)\WSys.exe /plus
|
|
|
