English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Anixma.A
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Anixma.A - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Anixma.A
Date discovered:
04/10/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low to medium
Damage Potential:
Medium
Static file:
Yes
File size:
29.184 Bytes
MD5 checksum:
8c70791f7ef061117dd37deb361c93df
VDF version:
6.32.0.58
General
Method of propagation:
• Messenger
Aliases:
• TrendMicro: WORM_ANIXMA.A
• Bitdefender: Backdoor.IRCBot.HM
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Disable security applications
• Lowers security settings
• Registry modification
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\
%random character string%
.exe
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Windows Socketheader"="
%random character string%
.exe"
The values of the following registry key are removed:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• avg7_cc
• avg7_emc
• ccApp
• KAV50
• KAVPersonal50
• McAfee Guardian
• McAfee.InstantUpdate.Monitor
It creates the following entries in order to bypass the Windows XP firewall:
– [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
• "EnableFirewall"=dword:00000000
– [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
• "EnableFirewall"=dword:00000000
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile]
• "EnableFirewall"=dword:00000000
Messenger
It is spreading via Messenger. The characteristics are described below:
– AIM Messenger
– Windows Messenger
To:
All open conversation windows.
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: xxx.s**********.biz
Port: 5190
Channel: #504
Nickname:
%random character string%
Password: cali
– Furthermore it has the ability to perform actions such as:
• Download file
• Execute file
• Start spreading routine
• Terminate malware
Miscellaneous
Mutex:
It creates the following Mutex:
• E8Zd9EdE
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• tElock
See a brief description
here
.
Description inserted by Iulia Diaconescu on Tue, 04 Oct 2005 13:44 (GMT+1)
Description updated by Andrei Ivanes on Wed, 12 Oct 2005 16:04 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Anixma.A
Print this page
.gif)
