Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Verst.A.18
Date discovered:07/09/2011
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:684.544 Bytes
MD5 checksum:8301FB9EF61560C76D2F0BC576AA4972

 General Method of propagation:
    Autorun feature


Aliases:
   •  TrendMicro: WORM_VERST.SM
   •  Sophos: Mal/EncPk-MX
     Microsoft: Worm:Win32/Verst


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\srtserv\%executed file%
   • %drive%\%randomly chosen directory%



The following files are created:

%drive%\aUtoRuN.iNF This is a non malicious text file with the following content:
   • %code that runs malware%

%ALLUSERSPROFILE%\Application Data\srtserv\sdata.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Verst.B.3

 Registry One of the following values is added in order to run the process after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "srtserv"="%ALLUSERSPROFILE%\Application Data\srtserv\%executed file%"



The following registry key is added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
   • "value1"="%executed file%"
   • "value2"=dword:000006d0

 Miscellaneous Accesses internet resources:
   • http://**********d8310.ucoz.ru/setx.dat;
      http://**********tat.ru/data/setx.dat;
      http://**********85488.info/setx.dat;
      http://**********777c6.h18.ru/setx.dat;
      http://**********bc2f2.ru/setx.dat;
      http://**********a3c62.org.ru/setx.dat;
      http://**********8f5b1.com/setx.dat;
      http://**********21498.yourfreehosting.net/setx.dat;
      http://**********ff509.eu.pn/setx.dat;
      http://**********1d733.net/setx.dat;
      http://**********7e820.com/setx.dat;
      http://**********fant.ru/data/setx.dat;
      http://**********27d11.org/setx.dat;
      http://**********herbal.com/data/setx.dat;
      http://**********nergi.dk/data/taskx.dat;
      http://**********dent-card.ru/data/setx.dat;
      http://**********dmosk.ru/setx.dat

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ilie on Wednesday, September 14, 2011
Description updated by Andrei Ilie on Wednesday, September 14, 2011

Back . . . .