Tuesday, March 16, 2010

worm.autorun.b

Type: worm

Alias: worm.win32.agent.wm, trojan:win32/ircbrute, generic.dx!pv

Description: Worm.Autorun.B is a worm for windows platforms. This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites. Worm.Autorun.B infects the system in a way to give trouble to the user. It Hides system files, Disable Folder Options, Hide File Extensions, Disable Autorun, Disable Registry Editor, Disable the Task Manager and Enable automatic execution of itself.

Malware Threat

worm.autorun.b

Files

C:\Documents and Settings\user-account-name\Local Settings\Temp\hn.exe
C:\Windows\vmnat.exe
C:\Windows\Server.exe
C:\Documents and Settings\user-account-name\Local Settings\Temp\RisinG.exe
C:\xv.exe
C:\hn.exe
C:\w98.com
C:\X0R.exe
C:\hd1.exe
C:\fix.exe
C:\Cfg.exe
C:\Windows\System32\RisinG.exe
C:\rox.exe
C:\bob.exe
C:\ise.exe
C:\Wins.exe
C:\JUZZ.exe
C:\ruip.exe
C:\root.exe
C:\avi32.exe
C:\Furio.exe
C:\yb12j.cmd
C:\Redem.exe
C:\Windows\System32\debug_32.exe
C:\Windows\System32\compmgmt.exe
C:\system.exe
C:\RisinG.exe
C:\Server.exe
C:\Devrgm.exe
C:\DllSrv.exe
C:\NirCmd.exe
C:\AutoRun.exe
C:\WinMgmt.exe
C:\spoolsv.exe
C:\stcvhost.exe
C:\autorunme.exe
C:\Windows\Tasks\dmadmin_1.exe
C:\Program Files\Common Files\RisinG.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\xv.exe
C:\RECYCLE\D-0-060-0000000000-1111111-2222222\fix.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\X0R.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\hd1.exe
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\xv.exe
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\root.exe
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hd1.exe
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\Wins.exe
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\root.exe
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Devrgm.exe
C:\RECYCLER\P-1-3-64-8794238531-8742492-9897532\Redem.exe
C:\RECYCLER\P-1-3-64-8794238531-8742492-9897532\Furio.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\randll.exe
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\Desktop.ini
C:\RECYCLER\P-1-3-64-8794238531-8742492-9897532\Desktop.ini
C:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
C:\restore\s-1-5-21-1482476501-1644491937-682003330-1013\bob.exe
C:\restore\s-1-5-21-1482476501-1644491937-682003330-1013\rox.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
C:\RECYCLER\S-1-5-21-3101491489-8599064343-199202316-0109\hd1.exe
C:\RECYCLER\S-1-5-21-3101491489-8599064343-199202316-0109\X0R.exe
C:\System\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
C:\recycler\s-1-6-21-2434476501-1644491937-600003330-1213\ruip.exe
C:\RECYCLE\S-1-5-21-5311846712-4121495154-682003330-5111\system.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\avi32.exe
C:\RECYCLER\S-3-6-22-3434476501-1644491937-600003330-1213\DllSrv.exe
C:\RECYCLER\S-1-6-21-2438476501-1644491937-701003331-1213\NirCmd.exe
C:\RECYCLE\X-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe
C:\RECYCLER\S-1-6-21-2438476501-1644491937-701003331-1213\WinMgmt.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe
C:\RECYCLE\X-5-4-27-2345678318-4567890223-4234567884-2341\Desktop.ini
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
C:\RECYCLER\S-1-5-21-1482276501-1663491937-6831267430-1013\Desktop.ini
C:\RECYCLER\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\stcvhost.exe
C:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
C:\system\g-923-321232-3232-32211-23\memory.exe
C:\system\g-923-321232-3232-32211-23\driver.exe
C:\Driver\Files\zpharaoh.exe
C:\Driver\Files\drago.exe
C:\u2.cmd
C:\Documents and Settings\user-account-name\Local Settings\Temp\drago.exe
C:\u2.cmd
C:\HONEY\MOON\DesKTop.ini
C:\HONEY\MOON\DRG.exe
C:\SUD\SSOW\sep.exe
C:\SALU\KNOW\taN.exe
C:\NNITEDN\LODGI\NintenD.exe
C:\root\system\may.exe
C:\DATA\DELETED\POWER.exe
C:\Driver\Files\zerX.exe
C:\SYSTEM\FILES\ARMY.exe
C:\re\back\BcK.exe
C:\uck\fk.exe
C:\vidi\unuk\drg.exe
C:\mad\track\mad.exe
C:\mad\track\desktop.ini
C:\Documents and Settings\user-account-name\Local Settings\Temp\maaad.exe

Registry Keys

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74CC3A187132}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74CC3A182132}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{26KLN5J0-4OPX-11WE-AAX3-24EF1F387272}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987224}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987892}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{98ZVD5C0-4FCB-11CF-AAX5-81CX1C635612}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{67mad3m8-3mad-81ad-mad6-78op5g1234521}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74CC3A187132}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-74CC3A182132}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{26KLN5J0-4OPX-11WE-AAX3-24EF1F387272}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987224}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987892}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{98ZVD5C0-4FCB-11CF-AAX5-81CX1C635612}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67mad3m8-3mad-81ad-mad6-78op5g1234521}

Registry Values

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Updates
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\serviice
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Firewall service
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Virtual Manager

- rbot.aznRbot.AZN is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.
- rbot.azoRbot.AZO is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.
- rbot.azpRbot.AZP is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.
- rbot.azqRbot.AZQ is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.
- rbot.azuRbot.AZU is a Trojan for the Windows platform. Rbot.AZU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
- rbot.azvRbot-AZV is a worm and IRC backdoor Trojan for the Windows platform. Rbot-AZV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
- rbot.azxRbot.AZX is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.

worm.autorun.b

ACROSS THE GLOBE

ACROSS THE GLOBE

IN United States

FROM United States