You can prove that the virus is functioning as it's author intended by checking that the following files are in place:
%System%\taskgmr.exe
%SystemDrive%\funny_pic.scr
%SystemDrive%\my_photo2005.scr
%SystemDrive%\see_this!!.scr
%System% and %SystemDrive% are variables that will coincide C:\Windows\System32 and C:\, unless you or the installer set them differently.
If you can verify those are in place, you can argue that the worm is functioning as the author intended. This would prove that the virus has had no impact on the boot sector or the NT Loading files.
|