| Malware name | Win32.Weird.e | | Type | Virus | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 652317F5C6B6361778EDA13A6DC6A248 | | Static file | no | | Filesize | 85,508 Bytes | Alias names
(also known as) | | Webwasher Proactive | Virus.Win32.FileInfector.gen | | Sophos | W32/Weird-E | | McAfee | W32/Kuang.f |
| | Protection | | Webwasher Anti Malware | 6032.159.x | | Webwasher Proactive | Database Version: 27 |
| | Side effects | - Drops a malicious file
- Third party control
|
|
Description:
Files
It copies itself to the following location:
• %WINDIR%\McAfee.exe
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "McAfee AntiVirus Shield"="%WINDIR%\\McAfee.exe"
Email
It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:
From: The sender of the email is the following:
• gandeson9871@**********
To: The recipient of the email is the following:
• gandeson9871@**********
Subject: The following:
• Please send email to
%computer name% Backdoor
The following port is opened:
–
%executed file% on TCP port 136 in order to provide backdoor capabilities. As a result it may send information and remote control could be provided.
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
