|
|
|
VIRUS NAME
: W32/Vig.worm
Virus
Characteristics
This worm attempts
to copy itself to floppy disks, local drives and mapped network drives. It is
written in Visual Basic 6, and packed with UPX. At the time of writing AVERT
has received a single sample from the field.
When run on the victim machine:
- the worm checks for
the following 5 files on A:, local drives and mapped network drives:
1. PAMELA.EXE
2. TETRIS.EXE
3. JUEGO.EXE
4. INFORME.EXE
5. AZNARIN.EXE
- If none are found, the
worm copies itself to that drive using one of the five filenames.
- the worm then copies
itself to %SYSDIR% (eg. C:\WINDOWS\SYSTEM) as DLLRUN32.EXE
- the worm adds the following
Registry key to run itself at subsequent system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SystemCheck" = %SYSDIR%\DLL32RUN.EXE
(replace %SYSDIR% as necessary)
- the worm modifies the
following Registry key, changing the name of the registered owner:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
"RegisteredOwner" = Viguito Bufon
- the worm deletes REGEDIT.EXE
from the victim machine.
- the worm may also drop
a bitmap onto the victim machine, (C:\FOTO.BMP). The image contains a man's
photograph with the addition of devil's horns and teeth, together with the
text 'Viguito Bufon'.
Symptoms
existence of copies of
the worm with names/locations described above
REGEDIT.EXE deleted
the registered owner of
the machine matching that described above
Method
Of Infection
Execution of the worm at the local machine.
|
|
|
