Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}
This new
piece of rogue software is promoting “System Security”. When executed, the
application creates a copy of itself in %appdata%[random].exe, where [random]
is an 8 digit random number. It registers this executable to run at system
startup by making changes to the registry and then deletes itself using the
batch self-delete technique.
When the
e-threat is executed at startup, it will mimic a full system scan alerting the
user of numerous infections. All of them
are fake and have only one purpose: make the victim buy the product to “clean”
his computer.
When
executed, the worm makes a copy of itself in %temp%svchost32.exe and registers
the executable to run at system startup.
The worm
uses two distinct methods to spread. The first is the autorun.inf method. It
creates copies of itself in the root folder of every local drive, network drive
and removable drive along with an autorun.inf file which points to the executable.
The second
spreading routine is by using instant messengers like Skype, Yahoo! Messenger,
Windows Live Messenger, AIM and ICQ. It
searches for opened windows of these applications and filters data (user
accounts) from several zones of interest: input boxes, lists, sub-windows. The
it will try sending a copy of itself to the user with the name
MichaelJackson_WTF.pif. It accomplishes this by
mimicking mouse and keyboard actions.
Information
in this article is available courtesy of BitDefender virus researchers: Marius
Vanta and Ovidiu Visoiu
tags
November 14, 2024
September 06, 2024