QUICK LINKS
| Seite zum Drucken
Größe der Malware: 24,576 Bytes
Erste Exemplare erhalten am: 2006-07-17 02:43:18
Installation and Autostart Technique
Upon execution, this worm drops the following copies of itself in the Windows system folder:
- INETSRV.EXE
- DRIVEINFO.EXE
- DRIVEINFO.LOG
However, only INETSRV.EXE attains memory-residency.
To ensure its automatic execution at every system startup, it creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
inetsrv = "%System%\inetsrv.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It also creates the following registry entry as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Help
VersionNumber = "dword:505c3a31"
Propagation Routines
This worm propagates by copying itself to removable drives and in all available physical drives. However, it skips floppy drives.
It drops AUTORUN.INF in an affected drive's root folder. The said file, which contains the following strings, enables its copy named DRIVEINFO.EXE to execute whenever the affected drive is accessed:
[Autorun]
Open=.\Recycled\Driveinfo.exe
Shell\Open\Command=.\Recycled\Driveinfo.exe
It then creates the subfolder Recycled, where it drops a copy of itself named DRIVEINFO.EXE, in the affected drive's root folder.
Note that this worm runs only if its copy is located in a folder named either Recycled or system32.
Other Details
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Weitere Informationen zu dieser Bedrohung finden Sie unter
Überblick
Lösung
Statistiken
No comments:
Post a Comment