My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Autorun.SS

MEDIUM
LOW
136.192
(P2P-Worm.Win32.Palevo.jbk, W32/Autorun.worm.zzq)

Symptoms

- presence of the files and registry key from the Technical Description
- computer slows down

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This worm tries to spread through MSN and USB removable devices.

At first run, if the malware isn’t named “sysdate.exe”, it creates a directory in \RECYCLER, with a name starting with “S-1-5-21” and then copies itself in it, with the name “sysdate.exe” and creates another file named “Desktop.ini” used to hide the .exe file. If it’s runned under the named “sysdate.exe”, it again uses the Desktop.ini file method to hide “sysdate.exe" from being seen in explorer.

After this, it creates a new entry in the registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ named “Taskman” and set to the value of the path of “sysdate.exe”. Next it performs a code injection into the memory space of explorer.exe (the injected code assures that both ”sysdate.exe” and “Desktop.ini” are seen as read-only).

If a new flash drive is connected to an infected system, the malware will create a copy of itself to the inserted drive in a directory named “temp”, under the name “winsetup.exe” and will hide the “temp” directory from explorer by creating another Desktop.ini file. It will also create an autorun.ini file on the removable drive root, which will launch the malware, when the flash will be connected to a new system, spreading itself in this way.