Shavr is a Trojan that upon execution, copies itself to the root of the system drive and to the system folder.

An autorun.inf file is also created in the root of the system drive. This causes a double-click on the drive letter in Windows Explorer to launch another instance of the Trojan. A desktop.ini file is also added, but has no effect as the single item it contains is set to an invalid value ("ConfirmFileOp=10"). The varsh.txt file contains only a short message from the Trojan author.

Two registry values are added to disable usage of the Task Manager and RegEdit. An entry in the registry Run key is also created to launch the Trojan at each system startup. These registry elements are re-created approximately every 30 seconds while the Trojan is running.


When the local system time is between 14:00 and 15:00, Shavr also executes a forced system shutdown with a 30 second delay.

More information can be found at this McAfee page.