Full description

Nume:	WORM/VB.arz.99
Descoperit pe data de:	08/07/2010
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	94.208 Bytes
MD5:	96d8dae98be6f62e2f428f7c94fa141e
Versiune IVDF:	7.10.09.46 - Thursday, July 8, 2010

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Symantec: W32.Daprosy
   • Mcafee: W32/Autorun.worm.h
   • Sophos: W32/Autorun-AMS
   • Eset: Win32/AutoRun.VB.FX

Sistem de operare:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza un fisier
   • Modificari in registri

Fisiere Se copiaza in urmatoarele locatii:
   • c:\Documents and Settings.exe
   • c:\etc.exe
   • c:\Gmer.exe
   • c:\My Downloads.exe
   • c:\oncrpc.exe
   • c:\Program Files.exe
   • c:\sysinternals-ProcessMonitor.exe
   • c:\temp.exe
   • c:\util.exe
   • c:\w32.exe
   • c:\WINDOWS.exe
   • %directorul de activare malware%.exe
   • c:\Classified.exe
   • c:\%fisier executat%\Classified.exe
   • %ALLUSERSPROFILE%\Desktop\Classified.exe
   • %ALLUSERSPROFILE%\Documents\My Music.exe
   • %ALLUSERSPROFILE%\Documents\My Pictures.exe
   • %ALLUSERSPROFILE%\Documents\My Videos.exe
   • %ALLUSERSPROFILE%\Documents\Classified.exe
   • %HOME%\My Documents\My Music.exe
   • %HOME%\My Documents\My Pictures.exe
   • %HOME%\My Documents\Classified.exe
   • %PROGRAM FILES%\Common Files.exe
   • %PROGRAM FILES%\ComPlus Applications.exe
   • %PROGRAM FILES%\Internet Explorer.exe
   • %PROGRAM FILES%\Java.exe
   • %PROGRAM FILES%\Messenger.exe
   • %PROGRAM FILES%\microsoft frontpage.exe
   • %PROGRAM FILES%\Microsoft Script Debugger.exe
   • %PROGRAM FILES%\Movie Maker.exe
   • %PROGRAM FILES%\MSBuild.exe
   • %PROGRAM FILES%\MSN.exe
   • %PROGRAM FILES%\MSN Gaming Zone.exe
   • %PROGRAM FILES%\NetMeeting.exe
   • %PROGRAM FILES%\Online Services.exe
   • %PROGRAM FILES%\Outlook Express.exe
   • %PROGRAM FILES%\ProcessGuard.exe
   • %PROGRAM FILES%\Reference Assemblies.exe
   • %PROGRAM FILES%\RootKit Hook Analyzer.exe
   • %PROGRAM FILES%\Systems Internals.exe
   • %PROGRAM FILES%\Unlocker.exe
   • %PROGRAM FILES%\Windows Media Player.exe
   • %PROGRAM FILES%\Windows NT.exe
   • %PROGRAM FILES%\WinPcap.exe
   • %PROGRAM FILES%\Wireshark.exe
   • %PROGRAM FILES%\xerox.exe
   • %PROGRAM FILES%\Classified.exe
   • %WINDIR%\addins.exe
   • %WINDIR%\AppPatch.exe
   • %WINDIR%\Config.exe
   • %WINDIR%\Connection Wizard.exe
   • %WINDIR%\Cursors.exe
   • %WINDIR%\DEBUG.EXE
   • %WINDIR%\Driver Cache.exe
   • %WINDIR%\EHome.exe
   • %WINDIR%\Help.exe
   • %WINDIR%\ime.exe
   • %WINDIR%\java.exe
   • %WINDIR%\Media.exe
   • %WINDIR%\Microsoft.NET.exe
   • %WINDIR%\Minidump.exe
   • %WINDIR%\msagent.exe
   • %WINDIR%\msapps.exe
   • %WINDIR%\mui.exe
   • %WINDIR%\Offline Web Pages.exe
   • %WINDIR%\PCHEALTH.exe
   • %WINDIR%\peernet.exe
   • %WINDIR%\Prefetch.exe
   • %WINDIR%\provisioning.exe
   • %WINDIR%\Registration.exe
   • %WINDIR%\repair.exe
   • %WINDIR%\Resources.exe
   • %WINDIR%\security.exe
   • %WINDIR%\ServicePackFiles.exe
   • %WINDIR%\SoftwareDistribution.exe
   • %WINDIR%\srchasst.exe
   • %WINDIR%\system.exe
   • %WINDIR%\system32.exe
   • %WINDIR%\Temp.exe
   • %WINDIR%\twain_32.exe
   • %WINDIR%\Web.exe
   • %WINDIR%\WinSxS.exe
   • %WINDIR%\Classified.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Classified.exe
   • %ALLUSERSPROFILE%\application data\Microsoft\KBDriver\kbdsys.exe
   • %ALLUSERSPROFILE%\application data\Zilch.InfiniSoft\dirlock.exe
   • %TEMPDIR%\am5kv6-ai69z6-64xxga-b28hra-vqs1tr\csrss.exe
   • %SYSDIR%\nthlpsvc1.exe
   • %TEMPDIR%\5t94i8-5p9tn9-1b1h4d-lrqj4q-5f9357\svchost.exe
   • %WINDIR%\lsass.exe
   • %TEMPDIR%\k2zg09-kyz559-glrtmd-3jkeaq-a9t43h\csrss.exe
   • %SYSDIR%\nthlpsvc2.exe

Este creat fisierul:

– %WINDIR%\shutdown.dll Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • c:\%fisier executat%

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "WinSys"="%WINDIR%\system.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "DirLocker"="%ALLUSERSPROFILE%\application data\Zilch.InfiniSoft\dirlock.exe"
   • "LSAShell"="%WINDIR%\lsass.exe"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Visual Basic\6.0]
– [HKCU\Software\Microsoft\Visual Basic]

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="Explorer.exe"
   Noua valoare:
   • "Shell"="Explorer.exe "%ALLUSERSPROFILE%\application data\Microsoft\KBDriver\kbdsys.exe""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=dword:00000001
   Noua valoare:
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000001
   • "SuperHidden"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

Description inserted by Carlos Valero Llabata on Thursday, July 8, 2010
Description updated by Carlos Valero Llabata on Thursday, July 8, 2010

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools