Upon execution, Perlovga.a acquires the drive letter from which the file is executed. It then opens the root folder of that drive and copies itself as xcopy.exe to the %windir%xcopy.exe.

It then copies the file host.exe from the root drive of the current drive to %windir%svchost.exe.

It then copies autorun.inf from the rot drive of the current directory as %windir%autorun.inf, executes the file %windir%svchost.exe and then exits.

For more details, read about it on our blog at
http://www.f-secure.com/weblog/archives/archive-012007.html#00001097

Last update 01 March 2007

 

TOP