Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Date discovered:19/09/2008
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
File size:345021 Bytes
MD5 checksum:98484fa2cf91a4eb7216b2bee377645e
VDF version:
IVDF version: - Friday, September 19, 2008

 General Method of propagation:

   •  Kaspersky: Worm.Win32.AutoIt.cb
   •  F-Secure: Worm.Win32.AutoIt.cb
   •  Sophos: W32/Sohana-BN
     Microsoft: Worm:Win32/Nuqel.BE
     AVG: Dropper.Generic4.CAYF
   •  Eset: Win32/Autoit.EP.Gen worm
     GData: Worm.Generic.39636

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
    Can be used to execute malicious code
   • Downloads malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\gphone.exe
   • %WINDIR%\gphone.exe

%SYSDIR%\autorun.ini This is a non malicious text file with the following content:
   • [Autorun]

 Registry One of the following values is added in order to run the process after reboot:

   • "Yahoo Messengger"="%SYSDIR%\gphone.exe"

The following registry keys are added in order to load the service after reboot:

   • "NofolderOptions"="dword:0x00000001"

The following registry key is added:

   • "DisableRegistryTools"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"

The following registry key is changed:

Internet Explorer's start page:

[HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Start Page"="about:blank"
   New value:
   • "Start Page"="http://googleinindia.blogspot.com"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   Old value:
   • "Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
   • "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Start Page"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
   New value:
   • "Default_Page_URL"="http://googleinindia.blogspot.com"
   • "Default_Search_URL"="http://googleinindia.blogspot.com"
   • "Search Page"="http://googleinindia.blogspot.com"
   • "Start Page"="http://googleinindia.blogspot.com"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe gphone.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

 Yahoo Messenger

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • http://goto**********.googlepages.com/setting.ini
   • http://sciencean**********.googlepages.com/setting.ini
   • http://see**********cam.googlepages.com/setting.ini
   • http://age**********yoga.googlepages.com/setting.ini

Event handler:
It creates the following Event handlers:
   • GetPrivateProfileSectionW
   • GetPrivateProfileStringW
   • CreateProcessWithLogonW
   • RegisterWindowMessageW
   • GetProcessIoCounters
   • GetProcessMemoryInfo
   • InternetCrackUrlW
   • LockWindowUpdate
   • GetSystemMetrics
   • SendCapsLockMode
   • SendKeyDownDelay
   • ReleaseCapture
   • keybd_event

Descrizione inserita da Wensin Lee su lunedì 10 giugno 2013
Descrizione aggiornata da Wensin Lee su lunedì 10 giugno 2013

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.