Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Virus:Worm/Autorun.bzjn
Date discovered:24/01/2011
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
File size:137.984 Bytes
MD5 checksum:615471A7DCC3A5B5AAF58B9B219BC27C
VDF version:7.10.08.40
IVDF version:7.11.01.226 - Monday, January 24, 2011

 General Methods of propagation:
   • Autorun feature
   • Mapped network drives


Aliases:
   •  Symantec: W32.Virut.CF
   •  Kaspersky: Worm.Win32.AutoRun.ckvt
   •  TrendMicro: WORM_AUTORUN.FKP


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Downloads files
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\wmimgmt.exe
   • %drive%\%all directories%.exe
   • %drive%\RECYCLER\wmimgmt.com



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\avp.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Orsam.A.7761

%TEMPDIR%\drivers.p This file contains collected information about the system.
%TEMPDIR%\ghi.bat Further investigation pointed out that this file is malware, too. Detected as: BAT/Agent.DA

%TEMPDIR%\temp.vih Contains parameters used by the malware.
%TEMPDIR%\INFO.TXT This file contains collected information about the system.



It tries to download a file:

– The location is the following:
   • http://**********.dumb1.com:80/PHqgHumeay5705.mp3
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters]
   • "ServiceDll"="%SYSDIR%\wuausrv.dll"



The following registry key is changed:

Various Explorer settings:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • "UncheckedValue"=dword:00000000

– [HCKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "ShowSuperHidden"=dowrd:00000000

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • It copies itself in network shares using random names found on the victim's system.

 Backdoor Contact server:
The following:
   • **********.dumb1.com:80

As a result it may send some information.

Sends information about:
    • Information about the Windows operating system

 File details Programming language:
The malware program was written in MS Visual C++.

Описание добавил Andrei Ilie в(о) понедельник, 1 августа 2011 г.
Описание обновил Andrei Ilie в(о) среда, 3 августа 2011 г.

Назад . . . .
https:// Это окно зашифровано для вашей безопасности.