nvcpl.exe - Dangerous
%sysdir%\nvcpl.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds to Windows startup.
It masks to NVIDIA control panel application NvCpl.exe.
2. Creates the files
%System%\Dong_Shi.exe
%System%\NvCpl.EXE
C:\Yanzi.htm
%Windir%\Sun_YanZI.zip (a zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\Huai_Tian_Q1.sys ( an MIME-encoded zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\I_am_Sun_Yanzi.sys. (an MIME-encoded worm)
YanZi.vbs. (this file is created in the current folder and it creates the file sun.exe)
When the file sun.exe runs, it creates three .jpg files under %Temp% folder. The file names have "SuN" as prefix.
One of these files is a Trojan that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) to download and execute a file named m00.exe, from the domain sunyanzi.fastmail.cn. This file is also a Trojan.