Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Virus:VBS/Yuyun.A
Date discovered:20/01/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:~8.000 Bytes
IVDF version:7.01.01.150 - Tuesday, January 20, 2009

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: VBS/Autorun.worm.zo
   •  Kaspersky: Trojan.JS.Agent.jp
   •  F-Secure: Trojan.JS.Agent.jp
   •  Sophos: VBS/AutoRun-UC
   •  Eset: VBS/AutoRun.BQ
   •  Bitdefender: Worm.VBS.AO


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
    Access to floppy disk
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %all directories%\Thumbs.db
   • %home%\My Documents\database.mdb
   • %WINDIR%\:Microsoft Office Update for Windows XP.sys



The following files are created:

Non malicious files:
   • %all directories%\New Folder.lnk
   • %all directories%\Microsoft.lnk
   • %all directories%\%all subdirectories%.lnk

%all directories%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry keys are added in order to run the processes after reboot:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
   • Wscript.exe //e:VBScript "%home%\My Documents\database.mdb"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate
   • Wscript.exe //e:VBScript "%WINDIR%\:Microsoft Office Update for Windows XP.sys"



The value of the following registry key is removed:

–  HKCR\lnkfile
   • IsShortcut



The following registry key is changed:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   New value:
   • DisableRegistrytools = 1

Descrição enviada por Andrei Gherman em segunda-feira, 26 de janeiro de 2009
Descrição atualizada por Andrei Gherman em segunda-feira, 26 de janeiro de 2009

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.