需要修复电脑?
聘请专家
Virus:Worm/Autorun.bzjn
Date discovered:24/01/2011
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
File size:137.984 Bytes
MD5 checksum:615471A7DCC3A5B5AAF58B9B219BC27C
VDF version:7.10.08.40
IVDF version:7.11.01.226 - Monday, January 24, 2011

 General Methods of propagation:
    Autorun feature
   • Mapped network drives


Aliases:
   •  Symantec: W32.Virut.CF
   •  Kaspersky: Worm.Win32.AutoRun.ckvt
   •  TrendMicro: WORM_AUTORUN.FKP


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Downloads files
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Application Data\wmimgmt.exe
   • %drive%\%all directories%.exe
   • %drive%\RECYCLER\wmimgmt.com



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\avp.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Orsam.A.7761

%TEMPDIR%\drivers.p This file contains collected information about the system.
%TEMPDIR%\ghi.bat Further investigation pointed out that this file is malware, too. Detected as: BAT/Agent.DA

%TEMPDIR%\temp.vih Contains parameters used by the malware.
%TEMPDIR%\INFO.TXT This file contains collected information about the system.



It tries to download a file:

The location is the following:
   • http://**********.dumb1.com:80/PHqgHumeay5705.mp3
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added:

[HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters]
   • "ServiceDll"="%SYSDIR%\wuausrv.dll"



The following registry key is changed:

Various Explorer settings:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • "UncheckedValue"=dword:00000000

[HCKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "ShowSuperHidden"=dowrd:00000000

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • It copies itself in network shares using random names found on the victim's system.

 Backdoor Contact server:
The following:
   • **********.dumb1.com:80

As a result it may send some information.

Sends information about:
     Information about the Windows operating system

 File details Programming language:
The malware program was written in MS Visual C++.

说明添加者: Andrei Ilie 打开 2011年8月1日星期一
说明更新者: Andrei Ilie 打开 2011年8月3日星期三

反馈 . . . .
https:// 为了你的安全,此窗口已加密。