Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:21/08/2007
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium to high
Static file:Yes
File size:94.208 Bytes
MD5 checksum:75691359d5c9e0e7e09ce6cd1802bc31
IVDF version: - Tuesday, August 21, 2007

 General Method of propagation:
   • Mapped network drives

   •  Mcafee: W32/Autorun.worm.i.gen
   •  Kaspersky: Worm.Win32.AutoRun.wj
   •  F-Secure: Worm.Win32.AutoRun.wj
   •  Sophos: W32/SillyFDC-BJ
   •  Eset: Win32/AutoRun.LG
   •  Bitdefender: Trojan.Autorun.VN

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

Right after execution the following information is displayed:

Right after execution it runs a windows application which will display the following window:

 Files It copies itself to the following locations:
   • C:\Documents and Settings\LocalService\services.exe
   • %SYSDIR%\drivers\smss.exe
   • %WINDIR%\winlogon.exe
   • %drive%:\RECYCLER.exe
   • %drive%:\Gwen(ISU) Scandal.exe
   • %drive%:\Sex Video.exe
   • %drive%:\zeluR maeTCP.exe
   • %all directories%\%current directory name%.exe

It renames the following files:

      %SYSDIR%\hal.dll into FuckUHal
      %WINDIR%\explorer.exe into FuckU
      %SYSDIR%\dllcache into FuckU
      %SYSDIR%\shell32.dll into FuckU1
      %SYSDIR%\ntoskrnl.dll into FuckU2

The following files are created:

%drive%:\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to executes the following file:

   • %PROGRAM FILES%\Windows Media Player\wmplayer.exe

 Registry The following registry key is added in order to run the process after reboot:

   • winlogon = %WINDIR%\winlogon.exe

The following registry key is changed:

Various Explorer settings:
   New value:
   • HideFileExt = 1
   • SuperHidden = 1
   • ShowSuperHidden = 0

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Andrei Gherman on Wednesday, August 6, 2008
Description updated by Andrei Gherman on Wednesday, August 6, 2008

Back . . . .