http://vil.nai.com/vil/vpe10499.asp Name W32/Crypto Aliases Win32/Crypto Variants None Date Added 12/30/99 Information Discovery Date: 12/30/99 Type: Virus SubType: Win32 Risk Assessment: Low Minimum DAT: 4061 Minimum Engine: 4.0.25 These additional modifications are made to the registry: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \EExport=”01” HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \EPbK=”E7,6D,8B,6F,27,05,60,6A,34,EA,95,CA,17,4D,F4,2B” HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \ExchTypeSubtype=”02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00” HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \Kiss Of Death=”5E,22,E4,CA,EC,8E,BA,7B,70,6E,F2,9B,89,FB,56,C8” HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \PSKEYS=”02,00,00,00” HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \RandSeed=”FA,17,33,0E,BE,A1,9E,F1,F1,EB,FD,2C,79,F1,03,02” HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/29A \SigTypeSubtype=”01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00” HKEY_LOCAL_MACHINE\Software\CLASSES\AutoRun\4\DefaultIcon\ @=”E:\CDSAMPLE\AUTORUN\WIN98CD.ICO” HKEY_LOCAL_MACHINE\Software\CLASSES\AutoRun\4\Shell\@=”AutoRun” HKEY_LOCAL_MACHINE\Software\CLASSES\AutoRun\4\Shell\AutoRun\@=”Auto&Play” HKEY_LOCAL_MACHINE\Software\CLASSES\AutoRun\4\Shell\AutoRun\command\ @=”E:\CDSAMPLE\AUTORUN\AUTORUN.EXE” HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\IEDirtyFlags\My=”524288” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ Migrate=”3” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\Blocking=”92,3F,E4,39,55,BB,77,11,03,84,6B,89,C8,AB,28,97” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\Display String=”Cryptographic Keys” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\ 4d1fa411-6fd9-11d0-8c58-00c04fd9126b\ Access Rules=”3E,37,C3,AB,CF,74,C0,0B,54,CC,8E,AB,0E,BD,00,A6” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\ 4d1fa411-6fd9-11d0-8c58-00c04fd9126b\Display String=”RSA Signature Keys” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\ 4d1fa412-6fd9-11d0-8c58-00c04fd9126b\ Access Rules=”43,27,0D,9C,6D,54,7A,5D,A0,B9,0F,17,0F,9E,DD,62” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\ 4d1fa412-6fd9-11d0-8c58-00c04fd9126b\ Display String=”RSA Exchange Keys” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\ 4d1fa412-6fd9-11d0-8c58-00c04fd9126b\Prizzy/29A\ Behavior=”8C,A1,B6,3A,3C,3C,27,FB,63,2B,E3,04,A4,D7,B7,B4” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data\4d1fa410-6fd9-11d0-8c58-00c04fd9126b\ 4d1fa412-6fd9-11d0-8c58-00c04fd9126b\Prizzy/29A\ Item Data=”B1,3F,34,0E,AA,E0,14,35,D7,AB,BA,F4,B3,3E,48,46” HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\ *Default*\Data 2\Windows\Value=”28,D4,8D,82,59,41,33,BA,90,E1,38,30,C5,13,FE,CB” The values above are used by the patched KERNEL32.DLL for information on encrypting infections. Symptoms Registry modifications as mentioned above, modification date change on PE type files. Method Of Infection Direct infection via patched KERNEL32.DLL. Removal Instructions Use specified DAT and Engine for detection only. Reinstall/replace files found detected as this virus. © 1999-2000, Network Associates, Inc. and its affiliated Companies. All Rights Reserved.