Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:WORM/Autorun.chwz
Date discovered:29/04/2011
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
File size:90.112 Bytes
MD5 checksum:94A72F8B07B15A0CE37302D6B1205856
VDF version:7.11.07.83 - Friday, April 29, 2011
IVDF version:7.11.07.83 - Friday, April 29, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/YahLover.worm
   •  Kaspersky: Worm.Win32.AutoRun.chwz
   •  TrendMicro: WORM_AUTORUN.CON
   •  Microsoft: VirTool:Win32/CeeInject.gen!ED
   •  Panda: W32/Ircbot.DAC.worm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops a file
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\windows32.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"



The following registry keys are added in order to load the services after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
   • "Start Page"="http://redirecturls.**********"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"



The following registry key is changed:

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description insérée par Andrei Ilie le mercredi 13 juillet 2011
Description mise à jour par Andrei Ilie le lundi 18 juillet 2011

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.