| Malware name | Worm.Agent.W.45 | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 083A9DA79C3D43BCC29B7FDAB4486DC4 | | Static file | yes | | Filesize | 90,112 Bytes | Alias names
(also known as) | | Sophos | Mal/Autorun-E | | McAfee | W32/Autorun.worm.gen |
| | Protection | | Webwasher Anti Malware | 7001.1225.x |
| | Side effects | - Drops a file
- Registry modification
|
|
Description:
Files
It copies itself to the following location:
• C:\RECYCLER\S-1-5-21-8749679017-0950430147-468708784-3200\hlpsvc.exe
The following file is created:
– C:\RECYCLER\S-1-5-21-8749679017-0950430147-468708784-3200\Desktop.ini This is a non malicious text file with the following content:
• [.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
Registry
One of the following values is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Help and Support"="C:\RECYCLER\S-1-5-21-8749679017-0950430147-468708784-3200\hlpsvc.exe"
Backdoor
Contact server: All of the following:
• 0xdeadbeef.cn:37454
• hitmen.it:37454
• not.malware.lv:37454
As a result remote control capability is provided.
Injection
– It injects itself into a process.
Process name:
• explorer.exe
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
