This is a worm that spreads Propagates via network shares, instant messaging applications, via removable drives and copies itself in all available physical drives. This worm may be downloaded from remote sites by other malware and It drops copies of itself and sets the attributes of its dropped files to hidden and read-only. It may be downloaded unknowingly by a user when visiting malicious Websites and that also spreads via removable drives.
It has many effects :
- It creates registry entries to enable its automatic execution at every system start up HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Yahoo Messengger = "{install path}\gphone.exe"
- Shell = "Explorer.exe gphone.exe"
- It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy %Windows%\Tasks\At{job number}.job - every day 9:00 AM
- It modifies registry entries to hide files with both System and Read-only attributes
NofolderOptions = "1" (default value being blank) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = "1"
- It creates registry key(s)/entry(ies) as part of its installation routine HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
shared = "\New Folder.exe"
AtTaskMaxHours = "0" .
- It deletes registry keys/entries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IEProtection = ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BkavFw = ""
- It sends messages that contain a link pointing to a remote copy of itself, using certain instant messaging applications.
- It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains certain strings:
- It drops files with the name gphone.exe in C:\windows\system32 in XP, C:\users\desktop and in temp in Vista as well as windows 7.
- It terminates certain processes, if found running in memory
- It modifies the Internet Explorer home page to point to a certain Web site. It modifies the Internet Explorer search page to point to a certain Web site.
When it spreads through instant message applications it will have following text after checking if the user's PC has Yahoo messenger or not, if it does not have it will download the file from legitimate Yahoo site:
|
This worm terminates the following process(es), if found running in memory:
|
1 comments:
q2x34h2y93 p9m55z4m76 c0o99i7o74 i7g73k2n28 y4r79x1q01 d0r05m0d39
Post a Comment