Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:Worm/Autorun.yve
Date discovered:28/01/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:1.507.328 Bytes
MD5 checksum:9e004c0e96b6c033c8c9fa9a3cfaa707
IVDF version:7.01.01.197 - Wednesday, January 28, 2009

 General Methods of propagation:
   • Autorun feature
   • Messenger


Aliases:
   •  Mcafee: Generic MultiDropper.a
   •  Sophos: Mal/Generic-A
   •  Panda: W32/Autorun.IZQ
   •  Eset: Win32/AutoRun.VB.BE
   •  Bitdefender: Trojan.VB.Agent.CW


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %HOME%\Application Data\intranetexplorer.exe
   • %drive%\.Autorun\%random character string%\Autorun.exe



The following files are created:

%drive%\.Autorun\%random character string%\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Intranet Patcher"="%home%\Application Data\intranetexplorer.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Intranet Patcher"="%home%\Application Data\intranetexplorer.exe"



The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed file%"="%malware execution directory%\%executed file%:*:Enabled:Microsoft Intranet Patcher"

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger


To:
All entries in the contact list.


Message
The sent message looks like one of the following:

   • meinst du das ernst?
     ich hoffe es gef?llt dir
     das ist geil
     bist du das?
     du bist echt sexy
     haha das ist sooo lustig
     kennst du das?
     est
     s en serio??? :S:S
     no sab
     a que te metias cosas asi :S
     esto es horrible :S
     alguien dijo que eras tu
     eres tu de verdad?
     tu eres realmente sexi ;)
     jajaja esto es muy divertido
     encontr
      esto... te resulta familiar?
     check this one
     hehe!
     i find this one really funny :)
     is this really you???
     did you take this picture?
     who is this?
      voc
      s
     rio??? :S:S
     eu n
     o soube que voc
      apreciou o material como este:S
     isto
      horr
     vel:S
     algu
     m disse que este era voc
      isto realmente voc
     voc
      realmente sexy ;)
     o hahaha isto
      t
     o engra
     ado
     eu encontrei que isto olha familiar??
     t'es serieu la?
     je savais pas que t'aimait ce genre de truc
     c'est horrible ahah
     qqn m'a dit que c'
     tait toi
     c'est vraiment toi ou!?
     lol vraiment pas mal
     hehe detta
     r roligt
     kolla det h
     haha roligt :D
     hehe gjorde du detta?
     jag visste inte att du gillade s
     nt h
     r :S
     r detta du?
     bent u ernstig??? :S:S
     ik wist niet u van materiaal als dit genoot :S
     dit is afschuwelijk :S
     iemand zei dit u was
     dit is werkelijk u?
     u bent werkelijk sexy ;)
     hahaha dit is zo grappig
     ik vond dit het? vertrouwd kijkt?
     :D
     ;)
     :D ACCEPT!
     ;)(L)
     :P
     lol
     hm?
     pic?

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: pptp.da**********.net
Port: 47221
Channel: #blaze
Nickname: [USA|00|XP||%number%]


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Updates itself

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Petre Galan su venerdì 26 febbraio 2010
Descrizione aggiornata da Petre Galan su venerdì 26 febbraio 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.