| Malware name | Worm.Autorun.cbm.4 | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | DB2BB40ECC757EE04BF1FD37E277406D | | Static file | yes | | Filesize | 233,472 Bytes | Alias names
(also known as) | | Sophos | Mal/Veneb-A | | McAfee | W32/Autorun.worm.bm | | CA ETrust | Win32/SillyAutorun.PE |
| | Protection | | Webwasher Anti Malware | 7000.6050.x |
| | Side effects | - Downloads a file
- Drops files
- Records keystrokes
- Registry modification
- Steals information
- Third party control
| | Propagation | Mapped network drives |
|
Description:
Files
It copies itself to the following locations:
• %WINDIR%\userinit.exe
• %SYSDIR%\system.exe
•
%drive%\Secret.exe
The following files are created:
– Non malicious file:
• %SYSDIR%\MSWINSCK.OCX
–
%drive%\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%– %WINDIR%\kdcoms.dll This file contains collected keystrokes.
It tries to download a file:
– The location is the following:
• http://fil**********pera.com/hav_online/files/task.rar
Registry
The following registry key is continuously in an infinite loop added in order to run the process after reboot.
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Userinit="%WINDIR%\userinit.exe"
Backdoor
Contact server: The following:
• scs**********h.cx:8800
File details
Programming language:
The malware program was written in Visual Basic.
