Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Autorun.YD
Date discovered:19/05/2009
Type:Worm
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
VDF version:7.01.03.226
IVDF version:7.01.03.229 - Tuesday, May 19, 2009

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Microsoft: Worm:Win32/Nabony.A
   •  Eset: Win32/AutoRun.Agent.YD


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Application Data\readere_lm.com
   • %SYSDIR%\acrobat.com
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\CD_RW.exe



The following files are created:

– %HOME%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %HOME%\Application Data\dbf.ltb This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "updater"="%HOME%\Application Data\readere_lm.com"

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "updater"="%SYSDIR%\acrobat.com"



The following registry key is added:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL
   • "CheckedValue"=dword:00000000



The following registry key is changed:

Various Explorer settings:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Old value:
   • "Hidden"=dword:00000002
   New value:
   • "Hidden"=dword:00000000

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack 1.0


Encryption:
Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Thursday, April 5, 2012
Description updated by Andrei Gherman on Thursday, April 5, 2012

Back . . . .