English
Deutsch
Español
Italian
Home
Virus Info
Worm/Rindu.D
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Rindu.D - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Rindu.D
Date discovered:
28/08/2007
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium to high
Static file:
Yes
File size:
107.008 Bytes
MD5 checksum:
85eeb3645837f31308f44f9746c9bc82
VDF version:
6.39.01.79
IVDF version:
6.39.01.082
General
Methods of propagation:
• Local network
• Mapped network drives
Aliases:
• Mcafee: W32/Ridnu.d
• Panda: W32/Ridnu.F.drp
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Disable security applications
• Lowers security settings
• Registry modification
Files
It copies itself to the following locations:
•
%SYSDIR%
\logonui.scr
•
%SYSDIR%
\MyComp.scr
•
%SYSDIR%
\userinit.exe
•
%SYSDIR%
\sndvol32.exe
•
%SYSDIR%
\calc.exe
•
%SYSDIR%
\notepad.exe
•
%SYSDIR%
\mspaint.exe
• C:\MSOCache\dlcache\Lagu.scr
• C:\MSOCache\dlcache\Gambar.scr
• C:\MSOCache\dlcache\Film.scr
• C:\MSOCache\dlcache\Dokumen Penting.scr
•
%PROGRAM FILES%
\outlook express.scr
•
%PROGRAM FILES%
\winamp.scr
•
%PROGRAM FILES%
\Windows Media Player.scr
•
%PROGRAM FILES%
\Windows NT\dialer.exe
•
%PROGRAM FILES%
\Internet Explorer\IEXPLORE.EXE
It creates the following directory:
• C:\MSOCache\dlcache\
Sections are added to the following files.
– To:
%SYSDIR%
\dllcache\userinit.exe With the following contents:
•
%executed file%
– To:
%SYSDIR%
\dllcache\sndvol32.exe With the following contents:
•
%executed file%
– To:
%SYSDIR%
\dllcache\calc.exe With the following contents:
•
%executed file%
– To:
%SYSDIR%
\dllcache\notepad.exe With the following contents:
•
%executed file%
– To:
%SYSDIR%
\dllcache\mspaint.exe With the following contents:
•
%executed file%
– To:
%SYSDIR%
\dllcache\iexplore.exe With the following contents:
•
%executed file%
It overwrites a file.
–
%PROGRAM FILES%
File extension:
• *.exe
With the following contents:
•
%executed file%
It copies the following files:
•
%SYSDIR%
\userinit.exe into
%SYSDIR%
\dllcache\userinit.exe
•
%SYSDIR%
\sndvol32.exe into
%SYSDIR%
\dllcache\sndvol32.exe
•
%SYSDIR%
\calc.exe into
%SYSDIR%
\dllcache\calc.exe
•
%SYSDIR%
\notepad.exe into
%SYSDIR%
\dllcache\notepad.exe
•
%SYSDIR%
\mspaint.exe into
%SYSDIR%
\dllcache\mspaint.exe
•
%PROGRAM FILES%
\Internet Explorer\iexplore.exe into
%SYSDIR%
\dllcache\iexplore.exe
The following file is created:
–
%WINDIR%
\media\suara.mp3
Registry
The following registry keys are changed:
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
Old value:
• "RegPath"="
%user defined settings%
"
New value:
• "RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedDeulleDo-X"
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden]
Old value:
• "UncheckedValue"=
%user defined settings%
New value:
• "UncheckedValue"=dword:00000000
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\ShowFullPathAddress]
Old value:
• "UncheckedValue"=
%user defined settings%
New value:
• "UncheckedValue"=dword:00000001
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt]
Old value:
• "UncheckedValue"=
%user defined settings%
New value:
• "UncheckedValue"=dword:00000001
Disable Regedit and Task Manager:
– [HKCU\Software\Policies\Microsoft\Windows\System]
Old value:
• "DisableCMD"=
%user defined settings%
New value:
• "DisableCMD"=dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState]
Old value:
• "FullPathAddress"=
%user defined settings%
New value:
• "FullPathAddress"=dword:00000001
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• "Shell"="
%user defined settings%
"
New value:
• "Shell"="Explorer.exe, MyComp.exe"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Old value:
• "DisableTaskMgr"="
%user defined settings%
"
"DisableRegistryTools"=
%user defined settings%
New value:
• "DisableTaskMgr"="1"
"DisableRegistryTools"=dword:00000001
– [HKLM\SOFTWARE\Classes\scrfile]
Old value:
• @=""="
%user defined settings%
"
"NeverShowExt"=
%user defined settings%
New value:
• @="File Folder"
"NeverShowExt"=dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Old value:
• "NoFolderOptions"=
%user defined settings%
"NoFind"=
%user defined settings%
"NoRun"=
%user defined settings%
New value:
• "NoFolderOptions"=dword:00000001
"NoFind"=dword:00000001
"NoRun"=dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Old value:
• "ShowSuperHidden"=
%user defined settings%
"HideFileExt"=
%user defined settings%
New value:
• "ShowSuperHidden"=dword:00000000
"HideFileExt"=dword:00000001
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• IPC$\
• Data.C$\
• Data.D$\
• Data.E$\
• Data.F$\
• Data.G$\
• Data.H$\
• imorxr$\Lagu.scr
• imorxr$\Gambar.scr
• imorxr$\Film.scr
• imorxr$\Dokumen Penting.scr
Process termination
Processes containing one of the following window titles are terminated:
• ANTI; TROJAN; SUPPORT; MASTER; WORM; VIRUS; HACK; CRACK; LINUX; AVG;
GRISOFT; CILLIN; SECURITY; LOCK; ASSOCIAT; SETUP; VAKSIN; UPDATE;
TEST; XXX; HIDDEN; DEMO; SYSTEM32; AFEE; NORTON; RONTOK; PCMAV; W32;
BLACK; MACRO; deulledo; TREND; SPERSKY; REGISTRY; COMMAND; KILL;
NORMAN; FILM; PORNO; SVQj; PROCEXPL
Miscellaneous
Network shares:
The following network shares will be created:
• imorxr$\
• Data.C$\
• Data.D$\
• Data.E$\
• Data.F$\
• Data.G$\
• Data.H$\
File details
Programming language:
The malware program was written in Delphi.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Monica Ghitun on Mon, 03 Sep 2007 11:43 (GMT+1)
Description updated by Monica Ghitun on Wed, 05 Sep 2007 10:38 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/KillAV.GR
Worm/Mytob.AP
Worm/Mytob.AT
TR/Crypt.PEPM.Gen
TR/Vundo.ewz.9
TR/Monderb.318720
Worm/IrcBot.39673.1
TR/PSW.Steam.DU
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Rindu.D
Print this page
.gif)
