C:\Windows\CyberWolf.exe

También se copia a si mismo en el directorio System de Windows con los siguientes nombres:

Api Hooking-Tutorial.exe
Christina Aguilera-The most beautiful girl on earth.scr
FixSql.com
format.com
Hotmail Hacker.exe
Kernel32.exe
Last Summer.scr
Love.scr
Magical-Screensaver.scr
mapi32.drv
MsnMsgs.exe
OutWar Demo.exe
Q30215HOTFIX.pif
Saddam-the real pics.scr
SARS-Guide.scr
Setup.exe
Soccer Database.exe
Virtual Joke.scr

El archivo Kernel32.exe (del gusano), es puesto con los atributos de oculto (+H) y de sistema (+S). También modifica la asociación con archivos ejecutables .EXE, de modo que cada vez que se corra un ejecutable, se lance antes el gusano (en el archivo "Kernel32.exe").

HKEY_CLASSES_ROOT\exefile\shell\open\command
(Predeterminado) = c:\windows\system\kernel32.exe "%1" %*

También crea dos claves de inicio, para que dos archivos se ejecuten al reiniciarse Windows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

CyberWolf = C:\Windows\CyberWolf.exe
windows Kernel = c:\windows\system\kernel32.exe

También agrega o modifica las siguientes entradas:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\App Paths\REGEDIT.EXE
(Predeterminado) = c:\windows\system\kernel32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\App Paths\MSCONFIG.EXE
(Predeterminado) = c:\windows\system\kernel32.exe

De este modo, cada vez que se ejecute REGEDIT.EXE o MSCONFIG.EXE se lanza una copia del gusano.

También agrega el siguiente valor:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
system = c:\windows\system\kernel32.exe

Además, cambia los siguientes valores de la siguiente clave:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 2
HideFileExt = 1

El gusano finaliza los siguientes procesos que se estuvieran ejecutando en memoria, pertenecientes a conocidos antivirus, cortafuegos, etc.:

ALERTSVC
AMON.EXE
ANTI-TROJAN
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVPCC.EXE
AVPM.EXE
AVSYNMGR
BLACKICE
CCAPP.EXE
CFINET
CFINET32
CLEANER
COMMAND
ESAFE.EXE
F-PROT
FP-WIN
FRW.EXE
F-STOPW
IAMAPP
IAMSERV.EXE
ICMON
IOMON98
LOCKDOWN2000
LOCKDOWNADVANCED
LUALL.EXE
LUCOMSERVER
MCAFEE
MSCONFIG
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NETSERVICES
NISSERV
NMAIN.EXE
NPROTECT
NSCHED32
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
PCFWALLICON
POP3TRAP
PVIEW.EXE
RAVMOND
REGEDIT
RESCUE32
SAFEWEB
SCAN32
SPHINX.EXE
SYMPROXYSVC
SYSHELP
TASKMGR
TDS2-NT
VETTRAY
VSECOMR
VSHWIN32
VSMON.EXE
VSSTAT
WEBSCANX
WEBTRAP
WINDRIVER
WINGATE
WINHELP
WINRPC
ZAPRO.EXE
ZONEALARM

También impide que se ejecuten procesos de programas con los siguientes nombres:

LiveUpdate
Norton AntiVirus
Process Viewer
Registry-Editor
System Configuration Utility
Windows Task Manager

El gusano localiza la carpeta compartida con otros usuarios por la utilidad KaZaa, y si la encuentra (si este programa está instalado), se copia allí con los siguientes nombres:

• AIM Remote Password Cracker.exe
• Chaos Ip Spoof 2003.exe
• FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
• Hotmail Exploiter 2003.exe
• Msn Messenger Remote Password Cracker 2003.exe
• Netbios hacker.exe
• Ultimate HackProg.exe
• Virus Creation ToolKit-VX v7.1_create virii with this tool, Klez.H and Sircam has been created with version 6.exe
• WebAttack-DoS Tool.exe
• XNuker 2003.exe
• Yahoo Remote Password Cracker Deluxe 2003.exe

También se copia en las siguientes carpetas, si ellas existen:

C:\Archivos de programa\Morpheus\My Shared Folder
C:\Archivos de programa\Bearshare\Shared
C:\Archivos de programa\Edonkey2000\Incoming

Con los siguientes nombres:

Chaos Ip Spoof 2003.exe
Hotmail Exploiter 2003.exe
Msn Messenger Remote Password Cracker 2003.exe
Netbios hacker.exe
Ultimate HackProg.exe

Si existe, modifica el archivo "script.ini" del programa mIRC, para propagarse con el nombre de "Magical-Screensaver.scr" por los canales de IRC compartidos por el usuario de la computadora infectada. Para ello, envía el siguiente mensaje:

[nick] hi,im CyberWolf,15 and from austria and u?
[nick] check out this crazy screensaver!its magic!!!

El gusano localiza el nombre de usuario, dirección de correo y dirección IP del servidor SMTP de la cuenta predeterminada de la víctima, y usa estos datos en su propio motor SMTP para enviar mensajes infectados a todos los contactos de la libreta de direcciones de Windows, y de direcciones recolectadas de los contactos del Yahoo Messenger, MSN y .NET Messenger, ICQ, y archivos .HTML (páginas) y .EML (mensajes Outlook) encontrados en cualquier lugar del disco duro..

Los mensajes enviados tienen estas características:

==============================

De: Lovergirl@hotmail.com
Asunto: Do you remember last summer?
Datos adjuntos: Last Summer.scr

Texto del mensaje:
hi
Do you remember we met last summer?
We became very good friends at the end huh!
Well i looked a bit over internet and i encountered your Email,so i thought why not send him the pics from last summer
I've attached them in this email,there in ScreenSaver format,pls reply to me if you liked them
See you soon again xxx
Love ya...

==============================

De: Webmaster@planet-source-code.com
Asunto: Api Hooking Tutorial...
Datos adjuntos: Api Hooking-Tutorial.exe

Texto del mensaje:
Did you wanted to learn how to api hook?
Here your chance!This tutorial explains all the basics AND moderate Api Hookings
Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer
After reading this tut you can even start Windows RootKit Programming but ofcourse thats up to you to decide...
The Tutorial attached in this e-mail is for privat use only and may never be distributed under any curcumstances
Provided to you by: Webmaster<Webmaster@planet-source-code.com> and www.planet-source-code.com

==============================

De: Support@microsoft.com
Asunto: Windows Hotfix!
Datos adjuntos: Q30215HOTFIX.pif

Texto del mensaje:
Attached is the HotFix for several bugs in Windows Operating Systems.
The following Windows versions are vulnerable:
Windows Xp home and Pro edition (with/without SP1)
Windows ME,2000 and NT Home and Pro Edition(With/without SP)
Windows 98 Home,Pro and Special Edition(With/without SP)
The following Windows Operating Systems are not vulnerable:
Windows 95(All editions With or Without Sp
Microsoft IIS(all versions)
If your Operating System is one of the vulnerable systems listed above then Microsoft Corp. recommends you to install this HotFix
If you for some reason didn't install this hotfix,then your pc will be vulnerable to this bugs allowing an attacker to Remote Control your pc,or beeing infected with the infamous SqlSlammer.
Because this is an critical bug,Microsoft Corp. has send this HotFix to all of his customors who use one of the OS's.
For more information about this bug or about Microsoft Corp.,please visit www.microsoft.com
Presented to you by:Microsoft HelpDesk<Support@microsoftcom>

==============================

De: SecurityResponse@symantec.com
Asunto: Warning from Symantec.com
Datos adjuntos: FixSql.com

Texto del mensaje:
5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD
A new very dangerous internet worm has been found in the wild.This worms goes under the name W32.SqlSlammer.C@mm and has the possibility to
spread by several ports on your pc(139,25,445,446,10252).
It will infect you without your knowlegde because it uses the Sql Buffer Overflow exploit.Because of this its very hard for Av companies and Microsoft to
contain this thread.Thats why we decided to protect our customors by sending then SqlFix and thus protecting them from infection.
After installation the fix will determine if the SqlSlammer.C has infected your pc and clean it.If it didn't infect it then it will make sure it will never infect you by closing the bug in your OS.
Simply run the attached fix and wait for the dialog to prompt,select the <Full Clean> feature and wait till its finished.
Sincerely,
Symantec Security Response Team
Symantec Corporation

==============================

De: Admin@hackers.com
Asunto: u wanted to hack?
Datos adjuntos: Hotmail Hacker.exe

Texto del mensaje:
hi there,so you wanted to hack your friends hotmail account huh,well use this xss-exploit tool to find his password within 3 minutes!!
Simply open it and enter your victims email ID and select <hack>
This will also work on Yahoo and Icq accounts
Admin@hackers.com

==============================

De: Lovergirl963@hotmail.com
Asunto: Do you remember last summer?
Datos adjuntos: Last Summer.scr

Texto del mensaje:
hi
Do you remember we met last summer?
We became very good friends at the end huh!
Well i looked a bit over internet and i encountered your Email,so i thought why not send him the pics from last summer
I've attached them in this email,there in ScreenSaver format,pls reply to me if you liked them
See you soon again xxx
Love ya...

==============================

De: Lovergirl963@hotmail.com
Asunto: Fwd:Fwd:Fwd:Sit back and be surprised...
Datos adjuntos: Magical-Screensaver.scr

Texto del mensaje:
Magic in CyberSpace,its almost unbelievable!
1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship and Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
5)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep.
6)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16.
You don't have to forward this email but then your friends won't get the chance to make their dreams come tru,So if you want your friends to be happe,simply mail them the magic...
Be aware!No cheating allowed,Once you have written those names and values on your paper you cannot chance them!!!

==============================

De: Admin@screensavers.com
Asunto: The Magic screensaver
Datos adjuntos: Magical-Screensaver.scr|

Texto del mensaje:
Check out this magic screensaver.Its pure magic!!!
Follow these steps for the magic:1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship and Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep.
)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16.
Presented by Admin@screensavers.com

==============================

De: ebmaster@Loveforlife.com
Asunto: Feel the reason why we fall in love...
Datos adjuntos: Love.scr

Texto del mensaje:
It takes One minute to find someone special
One hour to like someone
1 Day to fall in love with someone
But it takes a lifetime to forget someone.
If you have ever been in love then you'll know about what i am talking.
If you wanne have that same old feeling then open the lovescreensaver and realise why we fall in love all the time...
Feel the reason why we fall in love...

==============================

De: Webmaster@Outwar.com
Asunto: Outwar is proud to present you:Outwar InterActive
Datos adjuntos: OutWar Demo.exe

Texto del mensaje:
After beeing succesfull for quit some years now and having more then 20000 clients,it was time for something new.
Thats why we decided to take our OutWar into the game market and developed OurWar InterActive
This game will be in shops late summer and will cost about 36$.
It will be avaible across the Usa,Europe,Australia and Asia.Our release for Africa is scheduled early 2004.
Because this will mean a lot of waiting,we developed the first Official OutWar Int. Demo!
The attached file contains Installation Packet for the downloader.
Install it and download the game from our Private FTP servers,and then enjoy it on your home pc!.
Sincerely yours
Webmaster@outwar.com

==============================

De: Soccerfan@yahoo.com
Asunto: Fwd:Fwd:Fwd:Soccer...
Datos adjuntos: Soccer Database.exe

Texto del mensaje:
Ever wanted to see the best goals,the most beautiful freekicks etc.with just 2 clicks with your mouse?
Ever wanted to acces the largest Soccer Database on the internet where all goals from more then 25 international competitions from the past 15 years are stored?
Here is your chance,this program has instant acces it,so you can enjoy how Diego Maradonna scored <with the hand of god>,or how Johan Cruyff curled
hat ball into the goal...Enjoy!
The database contains goals from countries like:Spain,Italy,France,Germany,England,Belgium,The Netherlands,Sweden,Finland and much more
Also forward this to all football fans you know so they can enjoy this to.

==============================

De: Webmaster@beautifulgirls
Asunto: Christina Aguilera:The most beautiful girl on earth
Datos adjuntos: Christina Aguilera-The most beautiful girl on earth.scr

Texto del mensaje:
Don't you think Christina Aguilera is the most beautiful girl on earth?
She is soo nice!!!
That clip <Dirrty> was amazing...
If you wanne see some hidden pics of that videoclip then check out this screensaver
Its nice...Very nice,if you get what i mean ;)
Webmaster@beautifulgirls.com

==============================

De: webmaster@screensavers.com
Asunto: Saddam a live and kickin
Datos adjuntos: Saddam-the real pics.scr

Texto del mensaje:
The whole world wants to know it,is saddam a live,or death?
Well somedays a go the britisch took secret spy cam pics,and luckely someone has uploaded this pics to the internet,and now their avaible!
You won't believe what you see!its amazing!!!The spy cam was hidden inside a tower in Bagdad and it took pics from saddam and his sons,they our 250m beneath the ground!
Check out the pics i attached,you won't believe what you see!

==============================

De: Admin@jokes.com
Asunto: The Virtual Joke...
Datos adjuntos: Virtual Joke.scr

Texto del mensaje: Have you seen it yet?
You should because its soooooo funny,i wish the real jokes where that funny :)
Check out the attached screensaver and enjoy the pleasure of laughing...

==============================

De: flipbabe@hotmail.com
Asunto: Fwd:Fwd:Whats really happening in bagda
Datos adjuntos: Saddam-the real pics.scr

Texto del mensaje:
Someone of the britisch army has made some Secret Spy Cam pics,and uploaded it to the internet!!
The pics show you exactly whats reall happened in Irak!Its really not what you've seen on tv!
Check out the attached file and forward this to as much friends so that they can all see what has really happened in Irak.
FlipBabe xxx

==============================

De: mailinglist@Msn.com
Asunto: Get the new Msn 5.1!
Datos adjuntos: MsnMsgs.exe

Texto del mensaje:
Tired of the little nicknames in Msn,tired of all the limits?
Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever!
It allows nicknames up to 500 characters and has many new functions who will make your cyberlife easyier and better!
Msn Messenger 5.1 is avaible for following Operating Systems:
Windows Xp
Windows ME and 2000
Windows 98 and NT
Is not avaible for:Windows 95
This version of msn messenger supports also Api's in Windows Xp so you can make your own addons.
To download Msn Messenger 5.1 install the attached Root Setup.
WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP.
If you don't want to install it then you'll have to wait for another 5 weeks because of the juridical restricions.
Please do not forward this email.Every user who has Msn Messenger installed will receive this email sooner or later,so its up to them to decide to use the new version of not
Sincerely yours:
The Msn Messenger Team
The Hotmail Team

==============================

De: mailinglist@healthcare.com
Asunto: How to protect yourself against SARS
Datos adjuntos: HowTo-SARS.exe

Texto del mensaje:
SARS aka. Severe Acute Respiratory Syndrome is a worldwide health threat.
It was first discovered in China
But now,it has become a very big thread to all people in this world
If no vaccin is found,soon more then 500.000 people will be infected with it
This vaccin is not yet made,so within this time the ONLY protection humans have is prevention of infection
Thats why we of HealthCare launched a project in which we will send newsletters with information about SARS and with prevention rules.
Symptoms:High Fever(>38°C) AND one or more respiratory symptoms including cough, shortness of breath, difficulty breathing
Also be aware of the following:close contact with a person who has been diagnosed with SARS AND a recent history of travel to areas reporting cases of SARS
In addition to fever and respiratory symptoms, SARS may be associated with other symptoms including: headache, muscular stiffness, loss of appetite, malaise, confusion, rash, and diarrhea.
Until more is known about the cause of these outbreaks, WHO (World Health Organization) recommends that all people read the attached instructions of howto prevent beeing infected with SARS and what to do when infection has occurred
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (+41 22) 791 26 84
Email: thompsond@who.int

==============================

El gusano finalmente abre ventanas del navegador apuntando a alguno de estos sitios, dependiendo de la fecha actual del sistema:

www.brain-hack.com
www.indiansnakes.cjb.net
www.christinaaguilera
www.catholicninjas.org/superfuntime/

El gusano también envía mensajes a las compañías antivirus, similares a este:

De: twistmaster13@hotmail.com
Asunto: Hi,i'm 100% sure i'm infected!

Texto:
mmm...if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm.
For every infection this worm does,you'll receive an email like this.

It has never been my intention to cause your mailbox any harm, nor mailbomb it.
Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number...

Algunos fabricantes dicen haber recibido una cantidad importante de estos mensajes, desde máquinas infectadas, siendo la mayoría de China, Bélgica y Holanda (según F-Secure).


Reparación manual

Deshabilitar las carpetas compartidas por programas P2P

Si utiliza un programa de intercambio de archivos entre usuarios (KaZaa, Morpheus, iMesh, etc.), siga antes estas instrucciones:

Cómo deshabilitar compartir archivos en programas P2P
http://www.vsantivirus.com/deshabilitar-p2p.htm


Antivirus

1. Actualice sus antivirus con las últimas definiciones
2. Ejecútelos en modo escaneo, revisando todos sus discos
3. Borre los archivos detectados como infectados


Borrado manual de los archivos creados por el gusano

Desde el Explorador de Windows, localice y borre los siguientes archivos:

C:\Windows\CyberWolf.exe

En la carpeta "C:\Windows\System\" borre estos archivos

Api Hooking-Tutorial.exe
Christina Aguilera-The most beautiful girl on earth.scr
FixSql.com
format.com
Hotmail Hacker.exe
Kernel32.exe
Last Summer.scr
Love.scr
Magical-Screensaver.scr
mapi32.drv
MsnMsgs.exe
OutWar Demo.exe
Q30215HOTFIX.pif
Saddam-the real pics.scr
SARS-Guide.scr
Setup.exe
Soccer Database.exe
Virtual Joke.scr

Pinche con el botón derecho sobre el icono de la "Papelera de reciclaje" en el escritorio, y seleccione "Vaciar la papelera de reciclaje".

Borre también los mensajes electrónicos similares a los descriptos antes.


Editar el registro

Nota: algunas de las ramas en el registro aquí mencionadas, pueden no estar presentes ya que ello depende de que versión de Windows se tenga instalada.

1. Ejecute un antivirus actualizado y anote los archivos del troyano detectados

2. Desde Inicio, Ejecutar, teclee lo siguiente (puede usar cortar y pegar) y pulse Enter:

Command /c Rename C:\Windows\Regedit.exe Regedit.com

Si Windows no está instalado en C:\WINDOWS, debe cambiar esta referencia (Ej: C:\NOMBRE\REGEDIT.EXE, etc.).

3. Desde Inicio, Ejecutar, teclee REGEDIT.COM y pulse Enter

4. En el panel izquierdo del editor de registro de Windows, pinche en el signo "+" hasta abrir la siguiente rama:

HKEY_CLASSES_ROOT
\exefile
\shell
\open
\command

5. Pinche sobre la carpeta "command". En el panel de la derecha debería ver en la columna "Nombre", (Predeterminado), y en la columna "Datos" lo siguiente:

c:\windows\system\kernel32.exe "%1" %*

6. Pinche sobre "(Predeterminado)" y en Información del valor, debe borrar el nombre del cargador (c:\windows\system\kernel32.exe) y dejar en "Datos" solo esto (comillas, porcentaje, uno, comillas, espacio, porcentaje, asterisco):

"%1" %*

7. En el panel izquierdo del editor, pinche en el signo "+" hasta abrir la siguiente rama:

HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run

8. Pinche en la carpeta "Run" y en el panel de la derecha, bajo la columna "Nombre", busque y borre las siguientes entradas:

CyberWolf
Windows Kernel

9. En el panel izquierdo del editor, pinche en el signo "+" hasta abrir la siguiente rama:

HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\App Paths

10. Pinche en la carpeta "App Paths" y borre las siguientes carpetas:

REGEDIT.EXE
MSCONFIG.EXE

11. En el panel izquierdo del editor, pinche en el signo "+" hasta abrir la siguiente rama:

HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon

12. Pinche en la carpeta "Winlogon" y en el panel de la derecha borre la siguiente entrada:

system

13. En el panel izquierdo del editor, pinche en el signo "+" hasta abrir la siguiente rama:

HKEY_CURRENT_USER
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Explorer
\Advanced

14. Pinche en la carpeta "Advanced" y en el panel de la derecha borre las siguientes entradas:

Hidden
HideFileExt

15. Use "Registro", "Salir" para salir del editor y confirmar los cambios.

16. Reinicie su computadora (Inicio, Apagar el sistema, Reiniciar).


Información adicional

Mostrar las extensiones verdaderas de los archivos

Para poder ver las extensiones verdaderas de los archivos y además visualizar aquellos con atributos de "Oculto", proceda así:

1. Ejecute el Explorador de Windows

2. Seleccione el menú 'Ver' (Windows 95/98/NT) o el menú 'Herramientas' (Windows Me/2000/XP), y pinche en 'Opciones' u 'Opciones de carpetas'.

3. Seleccione la lengüeta 'Ver'.

4. DESMARQUE la opción "Ocultar extensiones para los tipos de archivos conocidos" o similar.

5. En Windows 95/NT, MARQUE la opción "Mostrar todos los archivos y carpetas ocultos" o similar.

En Windows 98, bajo 'Archivos ocultos', MARQUE 'Mostrar todos los archivos'.

En Windows Me/2000/XP, en 'Archivos y carpetas ocultos', MARQUE 'Mostrar todos los archivos y carpetas ocultos' y DESMARQUE 'Ocultar archivos protegidos del sistema operativo'.

6. Pinche en 'Aplicar' y en 'Aceptar'.


Limpieza de virus en Windows Me y XP

Si el sistema operativo instalado es Windows Me o Windows XP, para poder eliminar correctamente este virus de su computadora, deberá deshabilitar antes de cualquier acción, la herramienta "Restaurar sistema" como se indica en estos artículos:

Limpieza de virus en Windows Me
http://www.vsantivirus.com/faq-winme.htm

Limpieza de virus en Windows XP
http://www.vsantivirus.com/faq-winxp.htm



(c) Video Soft - http://www.videosoft.net.uy
(c) VSAntivirus - http://www.vsantivirus.com