2 min read

BitDefender weekly review

Bogdan BOTEZATU

August 28, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
BitDefender weekly review

Win32.Worm.Autorun.TF

When the worm is executed, it will make certain changes to
the registry to ensure it will be run on every system startup on the infected
machine. Next it will create the hidden file “C:boot.ini.ini” in which it will
write the current time and logged in user. Then it creates a copy of itself
inside the root directory of every accessible drive under the name
“ntdetect.exe” and create an autorun.inf file which point to the previously
mentioned executable.

In order to avoid antivirus detection it creates another
copy of itself in %windir%system32system.exe and continues execution from
that new location.

The new instance will perform the following actions every
125ms:

–       
rewrite the startup registry key

–       
check if any of its files have been removed, in
which case it simply recreates them

–       
make new copies of autorun.inf, boot.ini.ini and
ntdetect.exe on every drive

–       
make changes to the registry so that hidden
files are not displayed, file extensions are not shown and system directories
are not searchable with windows explorer

In case the registry editor or the task manager are started
by the user, the worm immediately kills them by searching all opened window
titles that contain the strings “registry editor” or “windows task manager”. In
case a window with “folder options” is opened, it will minimize it and change
its title to “Registry error!”.

The worm has a tricky way of removing itself or stopping
execution, probably remnants since its author was debugging it. It check
windows titles for the strings “! Exit” or “! Restore”. If they are found, it
changes the windows title to “Type Exit Password” or “Type Restore Password”
respectively. Then The worm wait for the window to change its title to the
correct password, which was “M13Exit” to stop execution of the worm or
“M13Restore” to make it uninstall from the infected system.

Another command it was able to understand through this
method is “! ShowUsers” which made the worm generate a *.html file containing a
list of users it infected till that time.

 

Trojan.Dialer.VYA

The malware
downloads a text file from “http://91.[removed].122/Dialer_Min/number.asp”
to “c:windowsnumber.txt”.
“number.txt” contains a single high-cost phone number which is
randomly generated from a list.
The number is dialed if a modem is attached to your computer, thus inflating
your phone bill.

Information
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Horea Coroiu

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read