Worm/Autorun.phg - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Autorun.phg
Date discovered:	09/10/2008
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	118.784 Bytes
MD5 checksum:	0a2566df33fe77ebd22e9acd8aae2a6e
IVDF version:	7.00.07.16 - Thu, 09 Oct 2008 10:20 (GMT+1)

General Method of propagation:
   • Autorun feature

Aliases:
   • Mcafee: W32/Autorun.worm.gen
   • Sophos: Mal/Generic-A
   • Panda: W32/Autorun.IPF
   • Eset: Win32/AutoRun.IRCBot.DY
   • Bitdefender: Trojan.Generic.1684107

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Third party control

Files It copies itself to the following location:
• %drive%\RESTORE\%CLSID%\ise32.exe

The following files are created:

– %drive%\RESTORE\%CLSID%\Desktop.ini
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%

Registry The following registry keys are added:

– [HKLM\SOFTWARE\Classes\.key]
   • "@"="regfile"

– [HKLM\Software\Microsoft\Active Setup\Installed Components\
   {28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
   • "StubPath"="c:\RESTORE\%CLSID%\ise32.exe"

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: jpg.ms**********.us
Port: 1863
Nickname: [laMer]%random character string%

Injection – It injects itself as a thread into a process.

Process name:
• explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Petre Galan on Fri, 05 Mar 2010 15:45 (GMT+1)
Description updated by Petre Galan on Fri, 05 Mar 2010 15:50 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back