This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes.
Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.
Aliases
Worm.Win32.AutoRun.dve (Kaspersky)
Worm/Autorun.dve (AntiVir)
Characteristics
This detection is for a worm.
It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.
The following files are written to root of writeable volumes:
AdobeRd9.0.exe
autorun.inf
scene.exe
The following files are also written to the infected system:
%WinDir%\services.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
The following registry keys are created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnabled: "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Client: "%WinDir%\services.exe"
HKEY_USERS\S-1-5-21-746137067-299502267-1547161642-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run: "%WinDir%\services.exe"
The following files are written to root of writeable volumes:
AdobeRd9.0.exe
autorun.inf
scene.exe
Symptoms -
Existence of mentioned files and registry keys
Method of Infection -
This worm may be spread by its intented method of infected removable drives.
Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
No comments:
Post a Comment