W32/Demotry-A is a worm for the Windows platform.
When run, W32/Demotry-A copies itself to the Windows folder as rundl32.exe and sets the following registry entry in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RUNDLL32
"rundl32.exe"
The worm scans network computers on port 445. W32/Demotry-A copies itself through network shares and mapped logical drives. When spreading through networks, W32/Demotry-A uses the following filenames:
1C.exe
Baza.exe
Foto.exe
Internet.exe
Kompromat.exe
Otkrytka.exe
Porno.exe
Premiya.exe
Siski.exe
Spravochnik.exe
SuperFuck.exe
SuperTetris.exe
Telefone.exe
Telefons.exe
Tetki.exe
In come cases, W32/Demotry-A may insert several spaces between the filename and the EXE file extension. Other filenames may be used by the worm which are randomly generated or include non-printable characters.
W32/Demotry-A monitors the A: drive and copies itself to this location upon deteermining the availability.
W32/Demotry-A also contains the functionality to dial a predefined telephone number. The worm may also connect to remote web servers and display web pages.