Tag Archive

Tag Archives for " 01detectautorun "

W32/Autorun.worm!ju

W32/Autorun.worm!ju may also perform the following payloads:

It will modify Windows Registry and add the following entries:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] “Explorador” = “%WINDIR%\Hyden.dll.exe”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\] “matriz” = “explorer.exe Twain32.dll.exe”
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs\] “Hyden” = “Hyden.dll.exe”
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\] “Hyden” = “Hyden.dll.exe”[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]

The threat will drop the following malicious files:

  • %WINDIR%\system32\Explores.exe
  • %WINDIR%\system32\Hyden.dll.exe
  • %WINDIR%\system32\Twain32.dll.exe
  • %WINDIR%\Hyden.dll.exe
  • %WINDIR%\Twain32.dll.exe

W32.SillyFDC.BDG

When W32.SillyFDC.BDG is present on the computer, it will perform the following tasks:

It will modify Windows Registry and add the following entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\”Windows Media Player” = “%ProgramFiles%\Windows Media Player\wmplayerc.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\”FirewallDisableNotify” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\”FirewallOverride” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\”UpdatesDisableNotify” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\”AntiVirusDisableNotify” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\”AntiVirusOverride” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”EnableLUA” = “0”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\”Debugger” = “rundll32.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\”Debugger” = “rundll32.exe”

The threat will drop the following malicious files:

  • %ProgramFiles%\Windows Media Player\svchost.exe
  • %ProgramFiles%\Windows Media Player\wmplayerc.exe
  • %CurrentFolder%\[SUBFOLDER NAME].lnk
  • %SystemDrive%\Autorun.inf
  • %DriveLetter%\RECYCLER\desktop.ini
  • %DriveLetter%\RECYCLER\[TWO SPACES].com

W32/Autorun.worm.h

W32/Autorun.worm.h will also perform the following tasks:

It will modify Windows Registry and add the following entries:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Current Version\Explorer\{35106240-D2F0-DB35-716E-127EB80A0299}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Current Version\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

W32/Autorun.worm.h will drop the following malicious files and folder:

  • %SystemDrive%\Diskrun.exe
  • %WINDIR%\system32\lowsec\local.ds
  • %WINDIR%\system32\lowsec\user.ds
  • %WINDIR%\system32\lowsec\user.ds.lll
  • %WINDIR%\System32\sdra64.exe
  • %SystemDrive%\Autorun.inf
  • %WINDIR%\system32\lowsec

W32.SillyFDC.BBX

What are the Symptoms of W32.SillyFDC.BBX Infection?

It will modify Windows Registry and add the following entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\”Msn Messsenger” = “%System%\regsvr.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”svchost Agent” = “%System%\28463\svchost.exe”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\”AtTaskMaxHours” = “0”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess \Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\”%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe” = “%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe:*:Enabled:ipsec”

The threat will drop the following malicious files:

  • %DriveLetter%\New Folder .exe
  • %DriveLetter%\jxcw.exe
  • %DriveLetter%\regsvr.exe
  • %DriveLetter%\autorun.inf
  • %System%\28463\svchost.001
  • %System%\28463\svchost.exe
  • %System%\setting.ini
  • %System%\setup.ini
  • %Windir%\Tasks\At1.job
  • %System%\regsvr.exe
  • %System%\svchost .exe
  • %Windir%\regsvr.exe