Date discovered:07/09/2009
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:94.208 Bytes
MD5 checksum:bab4884c5d0240b3882d725297043609
IVDF version:

 General Method of propagation:
• Autorun feature

   •  Mcafee: W32/Autorun.worm.h virus
   •  Panda: W32/Autorun.JEY
   •  Eset: Win32/AutoRun.VB.FX
   •  Bitdefender: Worm.Generic.83904

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %drive%\Read1st!.exe
   • %drive%\%all directories%.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%


 Registry  The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp]
   • [HKLM\SYSTEM\CurrentControlSet\Services\SwPrv]
   • [HKLM\SYSTEM\CurrentControlSet\Services\TPAutoConnSvc]

The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   New value:
   • "DisableSR"=dword:0x00000000
   • "RestoreDiskSpaceError"=dword:0x00000000

 File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

説明の挿入者 Petre Galan の 2009年12月14日月曜日
説明の更新者 Petre Galan の 2009年12月14日月曜日

戻る . . . .