A virus disguise

Watch the virus broadcast from China South tiger, and notice that there is a virus: "2060299" (PE. VBIconchgs. il.2060299)

The analysis description in encyclopedia is as follows:

Virus name (Chinese): attacker bundle 2060299
Threat Level:★★☆☆☆
Virus Type: file bundle
Virus length: 2060299
Affected System: Win9x WinMe WinNT Win2000 WinXP Win2003

Virus behavior:

This is an infectious bundle program written by the VB language. It can bind a virus program to a normal file and release the virus after it enters the computer. The virus it carries is a remote Trojan, which is capable of spoofing and will try to fool the user's firewall.

1. The virus is disguised as a Microsoft file with the following copyright information. (The virus is disguised as a program with a Microsoft signature. If you do not pay attention to it, you will think it is a patch file released by Microsoft)
Note: Microsoft HotFixes
Product Version: 5.04.0103
Product Name: Microsoft HotFixes
Company: Microsoft Corporation
Legal trademark: Microsoft HotFixes
Internal version: Installer94
Source File Name: Installer94.exe
The virus contains the Awsotr_Auto_Infect_And_Icon_Changer string.

2. Release the virus file to IIS windowsdirectory‑a‑rd.exe for execution, and release the files and icons to the c: msasn1 directory. The files are: labels, Set1.Ico files, and the icon files remain unchanged during execution.

3.search for objects in the virus, and add the additional objects to the front of the searched. EXE file, and combine the icon files into new files.

4. When the infected file is executed, the bound Virus File is released and executed. The virus does not release or execute the original file.

5. The virus is bundled with a Trojan program and disguised as a Microsoft firewall program. The virus contains the following string (this string is a dialog box popped up when the virus is executed to induce users to disable other anti-virus software ):

This disk is being protected by the Microsoft firewall.
If other anti-virus software blocks the operation of the Microsoft firewall, disable other anti-virus software and
We recommend that you only run Microsoft firewall
To replace other anti-virus configurations for higher compatibility...

Virus files are disguised as Microsoft files with the following copyright information:
Note: Microsoft Firewall Installer 12th Edition
Product Version: 1.01.0040
Product Name: Microsoft Firewall Installer
Company: XC Microsoft
Legal trademark: Microsoft Firewall Installer
Internal name: FirewallN39
Source File Name: FirewallN39.exe

The above information is sourced from the Internet Explorer.

Html> http://vi.duba.net/virus/pe-vbiconchgs-il-2060299-51806.html

If I don't get this sample, I don't have the dialog box after the virus runs.