Date discovered:15/09/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:439.296 Bytes
MD5 checksum:E93B115A57C2B3C75D21387DAC59A3E2
IVDF version: - Wednesday, September 15, 2010

 General Method of propagation:
    Autorun feature

   •  Symantec: W32.SillyFDC
   •  Mcafee: W32/Autorun.worm.g
   •  Kaspersky: Worm.MSIL.Autorun.fn
   •  F-Secure: Trojan.MSIL.Agent.P
   •  Sophos: W32/Autorun-BJR
   •  Bitdefender: Trojan.MSIL.Agent.P
     Avast: MSIL:AutoRun-W
     Microsoft: Worm:MSIL/Autorun.F
   •  Panda: MSIL/Autorun.KBQ
     PCTools: Net-Worm.SillyFDC!rem
   •  VirusBuster: Trojan.Agent2.MOU
   •  Eset: MSIL/Autorun.Agent.S
     GData: Trojan.MSIL.Agent.P
     Authentium: W32/Autorun.WV
     Norman: W32/Autorun.BMAY

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %PROGRAM FILES%\system32.exe
   • %drive%\lamberguini.avi.exe
   • %drive%\Marcedesse_SLR-722.avi.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry One of the following values is added in order to run the process after reboot:

   • "mlh"="%PROGRAM FILES%\system32.exe"

 Backdoor Contact server:
One of the following:
   • http://raw3a.over-blog.com/
   • http://www.raw3a.org/
   • http://barchamusic.over-blog.com/

 File details Programming language:
 • CIL (.NET 2.x)

説明の挿入者 Irina Diaconescu の 2010年11月2日火曜日
説明の更新者 Irina Diaconescu の 2010年11月5日金曜日

戻る . . . .
https:// このウィンドウは暗号化されています。