278 KBytes (packed)
(Worm.Win32.Antinny.aw, Win32/Antinny.AK!Worm, WORM_ANTINNY.BJ, W32/Antinny.worm.ab, W32/Antinny.BP)
Existence of %WINDOWS%\UP\ folder
Existence of a zip file in %WINDOWS%\UP\ folder
Existence of C:\ÄEÉl.scr
Win.ini modified (see technical description for more)
Please let BitDefender disinfect your files.
Patrik Vicol, virus researcher
This virus arrives via Winny peer-to-peer application or file-sharing networks that use Share.exe
If the user is tricked into executing the scr file, the virus will do:
1. Display a fake message in Japanese.
2. Creates and runs a copy of itself as:
C:\ÄEÉl.scr (C:\(japanese text).scr)
3. Creates and deletes file FILE.BAT that attempts to delete itself and the virus copy created previously. However, deletion of C:\ÄEÉl.scr will not work, while FILE.BAT will be deleted.
4. Modifies WIN.INI file with an infection marker
5. Creates a folder UP in %WINDOWS% folder:
This folder will be shared in Winny and Share application. A zip file containing a copy of the worm and some documents will be created here.
6. Searches for Winny and Share application folders.
7. If Winny application is installed, the virus modifies the configuration file UpFolder.txt for Winny file-sharing application:
8. If Share application is installed, the virus modifies the configuration file Folder.ini for the Share application:
9. Searches for files matching:
10. Spreading and information theft:
Creates a zip file in shared %WINDOWS%\UP\ folder:
%WINDOWS%\UP\[ÄEÉl] user_name(date_of_infection-time_of_infection)(random japanese characters).zip
that contains a copy of the worm (random japanese characters).scr
and also files found at step 9 (information theft)