|
|
|
VIRUS
NAME : W32/Denis.worm
Internet
Worm Characteristics
This worm browses
the network connections to spread to other machines that allow passwordless
write access to open shares over NetBIOS, and copies itself into the folder
with one of the following names :
- trojan.exe
- pager.exe
- crack.exe
- lines99.exe
- worm.exe
- draw.exe
- mpeg.exe
- low.exe
- byte.exe
- visual.exe
- word.exe
- done.exe
- horse.exe
- express.exe
- toy.exe
- com.exe
- friday.exe
After the worm gets executed,
it copies itself into %Windir%\System\ with one of filenames mentioned above.
It creates these keys in the registry :
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
App Paths\no.exe\@="%VirusPath%"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\%VName%="%VirusPath%"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\Network\DisablePwdCaching="1"
%VName% is randomly selected from one of these strings:
- winapp
- netbios
- wapihlp
- msvxapp
- dsgrun
- winver32
- gk32ctrl
- Netvx
Symptoms
Presents of files files mentioned above in %WinDir%\System\ folder.
Method
Of Infection
The worm has to be executed manually by a doubleclick. After the worm
copies itself to another machine by using an open share, the worm does
not get executed automatically on the victim machine.
|
|
|
