Content

W32/Autorun.worm.gen!17BA3F84

Type
Virus
SubType
Worm
Discovery Date
07/29/2008
Length
varies
Minimum DAT
5350 (07/30/2008)
Updated DAT
5350 (07/30/2008)
Minimum Engine
5.2.00
Description Added
07/29/2008
Description Modified
07/29/2008 5:13 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\~paraysutki_vm_community~
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\csrss.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\lsass.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\msvbvm60.dll
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\services.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\smss.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\winlogon.exe
  • c:\images\_palbtn
  • c:\images\_palbtn\~ g0yang ranjang ~.exe
  • c:\images\_palbtn\gepacar4an neh!!!.exe
  • c:\images\_palbtn\ke.. tauan n90c0k.exe
  • c:\images\_palbtn\ma5turbas1 xl1m4xs.exe
  • c:\images\_palbtn\praptih g4dies pujaanku.exe
  • c:\images\_palbtn\sirkuit bali smunza.exe
  • c:\images\ce_pen9god4.exe
  • c:\images\m0d3l_p4ray_ 2007.exe
  • c:\images\malam mingguan.exe
  • c:\images\nonkrong djem8atan k4h4yan.exe
  • c:\images\ph0to ber5ama.exe
  • c:\images\piknik dt4ngkilin9.exe
  • c:\images\trend 9aya ram8ut 2007.exe
  • d:\images\_palbtn
  • d:\images\_palbtn\~ g0yang ranjang ~.exe
  • d:\images\_palbtn\gepacar4an neh!!!.exe
  • d:\images\_palbtn\ke.. tauan n90c0k.exe
  • d:\images\_palbtn\ma5turbas1 xl1m4xs.exe
  • d:\images\_palbtn\praptih g4dies pujaanku.exe
  • d:\images\_palbtn\sirkuit bali smunza.exe
  • d:\images\ce_pen9god4.exe
  • d:\images\m0d3l_p4ray_ 2007.exe
  • d:\images\malam mingguan.exe
  • d:\images\nonkrong djem8atan k4h4yan.exe
  • d:\images\ph0to ber5ama.exe
  • d:\images\piknik dt4ngkilin9.exe
  • d:\images\trend 9aya ram8ut 2007.exe

The following registry elements have been created:

  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansav.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansavgd.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\boot.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\cmd.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokage4.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokagefile.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\instal.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kakashihatake.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspool.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspoold.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msiexec.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\obito.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-cln.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-rtp.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rin.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\smp.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\taskkill.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\tasklist.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\wscript.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\policies\microsoft\windows nt\systemrestore\
    disableconfig = 1
    disablesr = 1
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\system\
    disableregistrytools = 1
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\policies\microsoft\windows\system\
    disablecmd = 0

The following registry elements have been changed:

  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\install.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\setup.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\
    shell = [binary data]
  • hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidefileext\
    defaultvalue = 1
    uncheckedvalue = 1
  • hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden\
    checkedvalue = 0
    defaultvalue = 0
    type = checkbok
    uncheckedvalue = 0
  • hkey_local_machine\software\microsoft\windows\currentversion\policies\system\
    enablelua = 0
  • hkey_local_machine\software\microsoft\windows\currentversion\run\
    barlonddilhep = [binary data]
    realtimeprotector = [binary data]
    updater = [binary data]
    visulabacis = [binary data]
    windowsupdate = [binary data]
  • hkey_local_machine\software\policies\microsoft\windows\installer\
    disablemsi = 1
    limitsystemrestorecheckpointing = 1
    hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\internet explorer\main\
    window title = ++++ hey, hokage/babon (anbu*team*sampit), is this my places, wanna start a war ++++
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\explorer\advanced\
    hidefileext = 1
    showsuperhidden = 0
    superhidden = 0
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\explorer\
    nofind = 1

Symptoms

Method of Infection

Removal

-

Variants

Variants

    N/A

All Information

Overview -

 

Characteristics

Characteristics -

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\~paraysutki_vm_community~
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\csrss.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\lsass.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\msvbvm60.dll
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\services.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\smss.exe
  • %WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\winlogon.exe
  • c:\images\_palbtn
  • c:\images\_palbtn\~ g0yang ranjang ~.exe
  • c:\images\_palbtn\gepacar4an neh!!!.exe
  • c:\images\_palbtn\ke.. tauan n90c0k.exe
  • c:\images\_palbtn\ma5turbas1 xl1m4xs.exe
  • c:\images\_palbtn\praptih g4dies pujaanku.exe
  • c:\images\_palbtn\sirkuit bali smunza.exe
  • c:\images\ce_pen9god4.exe
  • c:\images\m0d3l_p4ray_ 2007.exe
  • c:\images\malam mingguan.exe
  • c:\images\nonkrong djem8atan k4h4yan.exe
  • c:\images\ph0to ber5ama.exe
  • c:\images\piknik dt4ngkilin9.exe
  • c:\images\trend 9aya ram8ut 2007.exe
  • d:\images\_palbtn
  • d:\images\_palbtn\~ g0yang ranjang ~.exe
  • d:\images\_palbtn\gepacar4an neh!!!.exe
  • d:\images\_palbtn\ke.. tauan n90c0k.exe
  • d:\images\_palbtn\ma5turbas1 xl1m4xs.exe
  • d:\images\_palbtn\praptih g4dies pujaanku.exe
  • d:\images\_palbtn\sirkuit bali smunza.exe
  • d:\images\ce_pen9god4.exe
  • d:\images\m0d3l_p4ray_ 2007.exe
  • d:\images\malam mingguan.exe
  • d:\images\nonkrong djem8atan k4h4yan.exe
  • d:\images\ph0to ber5ama.exe
  • d:\images\piknik dt4ngkilin9.exe
  • d:\images\trend 9aya ram8ut 2007.exe

The following registry elements have been created:

  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansav.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansavgd.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\boot.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\cmd.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokage4.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokagefile.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\instal.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kakashihatake.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspool.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspoold.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msiexec.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\obito.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-cln.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-rtp.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rin.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\smp.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\taskkill.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\tasklist.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\wscript.exe\
    debugger = rundll32.exe
  • hkey_local_machine\software\policies\microsoft\windows nt\systemrestore\
    disableconfig = 1
    disablesr = 1
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\system\
    disableregistrytools = 1
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\policies\microsoft\windows\system\
    disablecmd = 0

The following registry elements have been changed:

  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\install.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\setup.exe\
    debugger = cmd.exe /c del
  • hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\
    shell = [binary data]
  • hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidefileext\
    defaultvalue = 1
    uncheckedvalue = 1
  • hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden\
    checkedvalue = 0
    defaultvalue = 0
    type = checkbok
    uncheckedvalue = 0
  • hkey_local_machine\software\microsoft\windows\currentversion\policies\system\
    enablelua = 0
  • hkey_local_machine\software\microsoft\windows\currentversion\run\
    barlonddilhep = [binary data]
    realtimeprotector = [binary data]
    updater = [binary data]
    visulabacis = [binary data]
    windowsupdate = [binary data]
  • hkey_local_machine\software\policies\microsoft\windows\installer\
    disablemsi = 1
    limitsystemrestorecheckpointing = 1
    hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\internet explorer\main\
    window title = ++++ hey, hokage/babon (anbu*team*sampit), is this my places, wanna start a war ++++
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\explorer\advanced\
    hidefileext = 1
    showsuperhidden = 0
    superhidden = 0
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\explorer\
    nofind = 1

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

-

Variants

Variants -

    N/A