Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:07/09/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:684.544 Bytes
MD5 checksum:8301FB9EF61560C76D2F0BC576AA4972

 General Method of propagation:
   • Autorun feature

   •  TrendMicro: WORM_VERST.SM
   •  Sophos: Mal/EncPk-MX
   •  Microsoft: Worm:Win32/Verst

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\srtserv\%executed file%
   • %drive%\%randomly chosen directory%

The following files are created:

%drive%\aUtoRuN.iNF This is a non malicious text file with the following content:
   • %code that runs malware%

– %ALLUSERSPROFILE%\Application Data\srtserv\sdata.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Verst.B.3

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "srtserv"="%ALLUSERSPROFILE%\Application Data\srtserv\%executed file%"

The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
   • "value1"="%executed file%"
   • "value2"=dword:000006d0

 Miscellaneous Accesses internet resources:
   • http://**********;

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ilie on Wednesday, September 14, 2011
Description updated by Andrei Ilie on Wednesday, September 14, 2011

Back . . . .