Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43423
  • Total Topics: 16520
  • Online today: 2635
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2623
Total: 2624









Author Topic: W32/USBAuto.worm!rootkit  (Read 3829 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
W32/USBAuto.worm!rootkit
« on: 16. June 2007., 15:14:27 »
This detection is for a worm that spreads via removable USB media, and is also a rootkit.

Aliases:

Trojan-Downloader.Win32.VB.anf  (Kaspersky)
BackDoor.Generic.1563  (Doctor Web)
Win32/TrojanDownloader.VB.ANF  (ESET NOD32)
W32/UsbStorm.A.worm  (Panda)
Characteristics -


Note: File names and registry entries listed here may vary with different versions of the malware. Hence this is a generic description.

Upon execution, this malware copies inself into the following location.
C:\Windows\system32\internt.exe

This file is then executed and installed as a rootkit, such that its process is not visible under the process list.

It modifies the following registry entry for loading at system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Data : C:\Windows\system32\userinit.exe, C:\Windows\system32\internt.exe

It then copies itself, along with an autorun.inf file, to all the removable USB media.
Symptoms -


Presence of the files and registry entries mentioned.
Method of Infection -


This worm spreads by copying the following files to removable USB media.
autorun.inf
CN911.exe (copy of the worm)
Removal -


A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

McAfee
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

W32/USBAuto.worm!rootkit
« on: 16. June 2007., 15:14:27 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023