SCF Advanced Search

  • Total Posts: 40530
  • Total Topics: 14434
  • Online Today: 710
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Post reply

Message icon:

Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

shortcuts: hit alt+s to submit/post or alt+p to preview

Topic Summary

Posted by: Amker
« on: 16. June 2007., 15:14:27 »

This detection is for a worm that spreads via removable USB media, and is also a rootkit.


Trojan-Downloader.Win32.VB.anf  (Kaspersky)
BackDoor.Generic.1563  (Doctor Web)
Win32/TrojanDownloader.VB.ANF  (ESET NOD32)
W32/UsbStorm.A.worm  (Panda)
Characteristics -

Note: File names and registry entries listed here may vary with different versions of the malware. Hence this is a generic description.

Upon execution, this malware copies inself into the following location.

This file is then executed and installed as a rootkit, such that its process is not visible under the process list.

It modifies the following registry entry for loading at system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Data : C:\Windows\system32\userinit.exe, C:\Windows\system32\internt.exe

It then copies itself, along with an autorun.inf file, to all the removable USB media.
Symptoms -

Presence of the files and registry entries mentioned.
Method of Infection -

This worm spreads by copying the following files to removable USB media.
CN911.exe (copy of the worm)
Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising