My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Zindos.A

LOW
LOW
6 KB
(Worm.Win32.Zindos.a; Win32/Zindos.A.Trojan)

Symptoms

  • Registry key:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    with the value:
    "Tray" = [worm exe file]

Removal instructions:

Let BitDefender delete files found infected by this worm.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

When ran, the worm creates the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
"Tray" = [worm exe file]

The worm uses the Backdoor.Mydoom.M to spread on port 1034. It sends itself to random IP addresses 10 times per second. The backdoor in the victim computer saves the worm in the temporary folder then executes it.

After 3 minutes the worm starts an attack to www.microsoft.com by repeatedly starting a thread that reads the site's start page and deleting the downloaded file 20 times per second. The repeat interval starts with 1 second and increases with 250 milliseconds every time. So after 5 only minutes, about 260 thousands of read attempts are made.

The worm file is usually found in the windows temporary folder, which may be one of the following:

  • %WINDIR%\Temp
  • %Documents And Settings%\%Current User%\Local Settings\Temp
    and has a random file name and an EXE extension.