W32/Flukan-D is a backdoor virus for the Windows platform.
The virus also has the following functionality:
- terminates security and administration related processes (and explorer.exe)
- connects to remote IRC servers to receive and execute commands on the local system
- steal information
- overwrite the hosts file
- disable safe mode
- delete anti-virus related files and services
When first run W32/Flukan-D may copy itself to:
<Windows>\<random 5 characters>.exe
<System>\<Config>\<random 5 characters>.exe
<System>\<Config>\Efata.exe
and creates the following files:
<System>\<Config>\devil.ocx
<System>\<Config>\pluto.ocx
These files can be safely deleted.
Registry entries are created under:
HKLM\SOFTWARE\Efata
The virus may also set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Efata
<System>\<Config>\<random 5 characters>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableCmd
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe <Windows>\<random 5 characters>.exe