Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Date discovered:16/04/2007
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:172.032 Bytes
MD5 checksum:50fcc03125d42d7e1251d006eba8b12a
VDF version:
IVDF version: - Monday, April 16, 2007

 General    • No own spreading routine

   •  Mcafee: W32/Zaflen.a
   •  Kaspersky: Worm.Win32.VB.gr
   •  F-Secure: Worm.Win32.VB.gr
   •  Sophos: W32/Lovelet-AD
   •  Panda: W32/Nedro.C.worm
   •  Eset: Win32/VB.BP
   •  Bitdefender: Win32.Worm.VB.TC

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\lsass.exe
   • %SYSDIR%\mskernel.exe
   • %WINDIR%\setup\mskernel.exe
   • %WINDIR%\services.exe
   • %WINDIR%\gorgle\csrss.exe
   • %ALLUSERSPROFILE%\Desktop\Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\Programs\Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\New Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\folderwiz.com
   • %HOME%\NetHood\Hot Picture.com
   • %HOME%\My Documents\My Picture.com
   • %HOME%\PrintHood\Printing Information.com
   • %HOME%\Recent\New Microsoft Word Document.scr
   • %HOME%\SendTo\Image Editor.com
   • %HOME%\Start Menu\Image Viewer.com
   • %HOME%\My Documents\My Picture.com
   • %HOME%\My Documents\MyPictures\mskernel.exe
   • %HOME%\My Documents\Rated R Pictures.com
   • %WINDIR%\AutoRun.ini
   • C:\CoolWorld.exe
   • %WINDIR%\agila.scr
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\CoolWorld.exe

The following file is created:

C:\autorun.inf This is a non malicious text file with the following content:
   • [autorun]

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • Shell="explorer.exe "%WINDIR%\services.exe""
   • Userinit="%SYSDIR%\userinit.exe,%WINDIR%\gorgle\csrss.exe,"

   • (Default)="%SYSDIR%\mskernel.exe"

   • (Default)="\WINDOWS\lsass.exe"
   • WinRun="%WINDIR%\AutoRun.ini"

The following registry keys are added:

[HKCR\Folder\shell\About Us\Command]
   • Sams32="0212"

The following registry keys are changed:

Various Explorer settings:
   New value:
   • Run=dword:00000001
   • NoFolderOptions=dword:00000001
   • NoRun=dword:00000001

Disable Regedit and Task Manager:
   New value:
   • DisableRegistryTools=dword:00000001

   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

   New value:
   • NeverShowExt="

   New value:
   • NeverShowExt="
     (Default)="Microsoft Word Document"

   New value:
   • NeverShowExt="

   New value:
   • NeverShowExt="
     (Default)="JPEG Image"

   New value:
   • (Default)="shimgvw.dll,3"

   New value:
   • ScanningSystemDrive="False"

   New value:
   • (Default)=hex(2):73,00,68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,20,00,2d,00,73,00,20,00,2d,00,66,00,20,00,2d,00,74,00,20,00,30,00,00,00

   New value:
   • (Default)=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

 Process termination List of processes that are terminated:
   • avgctrl.exe; kav.exe; avgamsvr.exe; avgserv.exe; avgmsvr.exe;
      avgcc32.exe; avgcc.exe; avginet.exe; avgupsvc.exe; avgemc.exe;
      avgnt.exe; avgregcl.exe; avgserv9.exe; avgw.exe; alogserv.exe;
      avsynmgr.exe; Mpfsheild.exe; MpfAgent.exe; mpf.exe; MpfConsole.exe;
      mcagent.exe; mcappins.exe; McDash.exe; mcdetect.exe; mcinfo.exe;
      mcmnhdlr.exe; mcshield.exe; mctskshd.exe; mcupdate.exe; mcvsescn.exe;
      mcvsshld.exe; avpcc.exe; mcvsftsn.exe; mcvsrte.exe; vstskmgr.exe;
      vsmain.exe; vshwin32.exe; pccpfw.exe; pccclient.exe; pcclient.exe;
      pccguide.exe; pccnt.exe; pccntmon.exe; pccntupd.exe; PcCtlCom.exe;
      pcscan.exe; avpm.exe; kavsvc.exe; AVENGINE.EXE; nisserv.exe;
      NISUM.exe; Navapsvc.exe; NMain.exe; Navapw32.exe; VetMsg.exe;
      VetTray.exe; Vet32.exe; VetNT.exe; vsmon.exe; zlclient.exe; zapro.exe;
      LUPGCONF.EXE; PAVSRV51.EXE; PavPrSrv.exe

 File details Programming language:
The malware program was written in Visual Basic.

Descrizione inserita da Ernest Szocs su mercoledì 7 novembre 2007
Descrizione aggiornata da Ernest Szocs su giovedì 8 novembre 2007

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.