Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Medium to high
- Monday, January 24, 2011
Methods of propagation:
• Autorun feature
• Mapped network drives
• Symantec: W32.Virut.CF
• Kaspersky: Worm.Win32.AutoRun.ckvt
• TrendMicro: WORM_AUTORUN.FKP
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Windows Vista
• Windows 7
• Downloads files
• Drops files
• Registry modification
• Steals information
It copies itself to the following locations:
• %ALLUSERSPROFILE%\Application Data\wmimgmt.exe
The following files are created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
\avp.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Orsam.A.7761
\drivers.p This file contains collected information about the system.
\ghi.bat Further investigation pointed out that this file is malware, too. Detected as: BAT/Agent.DA
\temp.vih Contains parameters used by the malware.
\INFO.TXT This file contains collected information about the system.
It tries to download a file:
– The location is the following:
At the time of writing this file was not online for further investigation.
The following registry key is added:
The following registry key is changed:
Various Explorer settings:
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops a copy of itself to the following network share:
• It copies itself in network shares using random names found on the victim's system.
As a result it may send some information.
Sends information about:
• Information about the Windows operating system
The malware program was written in MS Visual C++.
Description inserted by Andrei Ilie on Monday, August 1, 2011
Description updated by Andrei Ilie on Wednesday, August 3, 2011