McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
| File Property |
Property Value |
| FileName |
filke.exe |
| McAfee Detection |
W32/Autorun.worm.gen
|
| Length |
53,760 bytes |
| CRC |
7BC045E8 |
| MD5 |
61BE3B70ADDF860B12D4562EA3F0F5E0
|
| SHA1 |
1020802FD6907A4AE8EEEFF59E764C709FC3D62C
|
Other Common Detection Aliases
| Company Name |
Detection Name |
| AVG (GriSoft) |
worm/generic.hma |
| Eset |
probably unknown NewHeur_PE virus [7]
|
| microsoft |
worm:win32/autorun.bw
|
| norman |
w32/smalltroj.emsm |
| Symantec |
Trojan Horse |
| Trend Micro |
WORM_AUTORUN.BIY |
Avert® Labs has observed the following system activities:
| Activity |
Risk Level |
Hides files from the user
|
Critical |
Modifies the Operating System Security Policy
|
Critical |
Program often suspends itself
|
Medium |
Uses Shared Memory of Other Processes
|
Low |
Writes Executable in the Windows Folder
|
Low |
Creates Registry Keys and Data values persistent on OS Reboot
|
Informational |
This sample can be identified by the following symptoms.
System Changes
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
The following files were analyzed:
%USERPROFILE%\local settings\temp\filke.exe
The following files have been added to the system:
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\~paraysutki_vm_community~
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\csrss.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\lsass.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\msvbvm60.dll
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\services.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\smss.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\winlogon.exe
c:\images\_palbtn
c:\images\_palbtn\~ g0yang ranjang ~.exe
c:\images\_palbtn\gepacar4an neh!!!.exe
c:\images\_palbtn\ke.. tauan n90c0k.exe
c:\images\_palbtn\ma5turbas1 xl1m4xs.exe
c:\images\_palbtn\praptih g4dies pujaanku.exe
c:\images\_palbtn\sirkuit bali smunza.exe
c:\images\ce_pen9god4.exe
c:\images\m0d3l_p4ray_ 2007.exe
c:\images\malam mingguan.exe
c:\images\nonkrong djem8atan k4h4yan.exe
c:\images\ph0to ber5ama.exe
c:\images\piknik dt4ngkilin9.exe
c:\images\trend 9aya ram8ut 2007.exe
d:\images\_palbtn
d:\images\_palbtn\~ g0yang ranjang ~.exe
d:\images\_palbtn\gepacar4an neh!!!.exe
d:\images\_palbtn\ke.. tauan n90c0k.exe
d:\images\_palbtn\ma5turbas1 xl1m4xs.exe
d:\images\_palbtn\praptih g4dies pujaanku.exe
d:\images\_palbtn\sirkuit bali smunza.exe
d:\images\ce_pen9god4.exe
d:\images\m0d3l_p4ray_ 2007.exe
d:\images\malam mingguan.exe
d:\images\nonkrong djem8atan k4h4yan.exe
d:\images\ph0to ber5ama.exe
d:\images\piknik dt4ngkilin9.exe
d:\images\trend 9aya ram8ut 2007.exe
The following registry elements have been created:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansav.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansavgd.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\boot.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\cmd.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokage4.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokagefile.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\instal.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kakashihatake.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspool.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspoold.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msiexec.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\obito.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-cln.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-rtp.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rin.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\smp.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\taskkill.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\tasklist.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\wscript.exe\
hkey_local_machine\software\policies\microsoft\windows nt\systemrestore\
- disableconfig = 1
- disablesr = 1
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\system\
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\policies\microsoft\windows\system\
The following registry elements have been changed:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\install.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\setup.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidefileext\
- defaultvalue = 1
- uncheckedvalue = 1
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden\
- checkedvalue = 0
- defaultvalue = 0
- type = checkbok
- uncheckedvalue = 0
hkey_local_machine\software\microsoft\windows\currentversion\policies\system\
hkey_local_machine\software\microsoft\windows\currentversion\run\
- barlonddilhep = [binary data]
- realtimeprotector = [binary data]
- updater = [binary data]
- visulabacis = [binary data]
- windowsupdate = [binary data]
hkey_local_machine\software\policies\microsoft\windows\installer\
- disablemsi = 1
- limitsystemrestorecheckpointing = 1
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\internet explorer\main\
- window title = ++++ hey, hokage/babon (anbu*team*sampit), is this my
places, wanna start a war ++++
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\explorer\advanced\
- hidefileext = 1
- showsuperhidden = 0
- superhidden = 0
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\explorer\
Symptoms
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Method of Infection
Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
| File Property |
Property Value |
| FileName |
filke.exe |
| McAfee Detection |
W32/Autorun.worm.gen
|
| Length |
53,760 bytes |
| CRC |
7BC045E8 |
| MD5 |
61BE3B70ADDF860B12D4562EA3F0F5E0
|
| SHA1 |
1020802FD6907A4AE8EEEFF59E764C709FC3D62C
|
Other Common Detection Aliases
| Company Name |
Detection Name |
| AVG (GriSoft) |
worm/generic.hma |
| Eset |
probably unknown NewHeur_PE virus [7]
|
| microsoft |
worm:win32/autorun.bw
|
| norman |
w32/smalltroj.emsm |
| Symantec |
Trojan Horse |
| Trend Micro |
WORM_AUTORUN.BIY |
Avert® Labs has observed the following system activities:
| Activity |
Risk Level |
Hides files from the user
|
Critical |
Modifies the Operating System Security Policy
|
Critical |
Program often suspends itself
|
Medium |
Uses Shared Memory of Other Processes
|
Low |
Writes Executable in the Windows Folder
|
Low |
Creates Registry Keys and Data values persistent on OS Reboot
|
Informational |
This sample can be identified by the following symptoms.
System Changes
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
The following files were analyzed:
%USERPROFILE%\local settings\temp\filke.exe
The following files have been added to the system:
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\~paraysutki_vm_community~
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\csrss.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\lsass.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\msvbvm60.dll
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\services.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\smss.exe
%WINDIR%\system32\~a~m~b~u~r~a~d~u~l~\winlogon.exe
c:\images\_palbtn
c:\images\_palbtn\~ g0yang ranjang ~.exe
c:\images\_palbtn\gepacar4an neh!!!.exe
c:\images\_palbtn\ke.. tauan n90c0k.exe
c:\images\_palbtn\ma5turbas1 xl1m4xs.exe
c:\images\_palbtn\praptih g4dies pujaanku.exe
c:\images\_palbtn\sirkuit bali smunza.exe
c:\images\ce_pen9god4.exe
c:\images\m0d3l_p4ray_ 2007.exe
c:\images\malam mingguan.exe
c:\images\nonkrong djem8atan k4h4yan.exe
c:\images\ph0to ber5ama.exe
c:\images\piknik dt4ngkilin9.exe
c:\images\trend 9aya ram8ut 2007.exe
d:\images\_palbtn
d:\images\_palbtn\~ g0yang ranjang ~.exe
d:\images\_palbtn\gepacar4an neh!!!.exe
d:\images\_palbtn\ke.. tauan n90c0k.exe
d:\images\_palbtn\ma5turbas1 xl1m4xs.exe
d:\images\_palbtn\praptih g4dies pujaanku.exe
d:\images\_palbtn\sirkuit bali smunza.exe
d:\images\ce_pen9god4.exe
d:\images\m0d3l_p4ray_ 2007.exe
d:\images\malam mingguan.exe
d:\images\nonkrong djem8atan k4h4yan.exe
d:\images\ph0to ber5ama.exe
d:\images\piknik dt4ngkilin9.exe
d:\images\trend 9aya ram8ut 2007.exe
The following registry elements have been created:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansav.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ansavgd.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\boot.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\cmd.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokage4.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\hokagefile.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\instal.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kakashihatake.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspool.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kspoold.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msiexec.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\obito.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-cln.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\pcmav-rtp.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rin.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\smp.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\taskkill.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\tasklist.exe\
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\wscript.exe\
hkey_local_machine\software\policies\microsoft\windows nt\systemrestore\
- disableconfig = 1
- disablesr = 1
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\system\
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\policies\microsoft\windows\system\
The following registry elements have been changed:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\install.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\setup.exe\
- debugger = cmd.exe /c del
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidefileext\
- defaultvalue = 1
- uncheckedvalue = 1
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden\
- checkedvalue = 0
- defaultvalue = 0
- type = checkbok
- uncheckedvalue = 0
hkey_local_machine\software\microsoft\windows\currentversion\policies\system\
hkey_local_machine\software\microsoft\windows\currentversion\run\
- barlonddilhep = [binary data]
- realtimeprotector = [binary data]
- updater = [binary data]
- visulabacis = [binary data]
- windowsupdate = [binary data]
hkey_local_machine\software\policies\microsoft\windows\installer\
- disablemsi = 1
- limitsystemrestorecheckpointing = 1
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\internet explorer\main\
- window title = ++++ hey, hokage/babon (anbu*team*sampit), is this my
places, wanna start a war ++++
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\explorer\advanced\
- hidefileext = 1
- showsuperhidden = 0
- superhidden = 0
hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\explorer\
Symptoms
Symptoms -
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Method of Infection
Method of Infection -
Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
