Home / malware trojan.Generic.1828131
First posted on 21 November 2011.
Source: BitDefenderAliases :
trojan.Generic.1828131 is also known as W32.Autorun.worm.cs, Trojan.Win32.Autoit.ci, Win32.Worm.Sohanad.NBN.
Explanation :
This worm perform the following action upon execution:
- make a copy of itself inside %windir% folder, as “regsvr.exe”
- make a copy of itself inside %windir%system32 folder, as “regsvr.exe”
- make a copy of itself inside %windir%system32 folder, as “svchost .exe”
- register itself at startup in many places, by adding the registry values:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun : “Msn Messsenger” -> “c:WindowsSystem32
egsvr.exe”
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell -> “regsvr.exe”.
- disables the task manager, registry tools and folder options by settings next registry keys: HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem:
"DisableTaskMgr" ->"0";
"DisableRegistryTools" ->"0"; HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer:
"NofolderOptions" ->"0";
- creates a schedule, using windows AT command schedule, for runnig “%windir%System32svchost .exe”(a copy of malware) every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by setting the key HKLMSYSTEMCurrentControlSetServicesSchedule:
"AtTaskMaxHours"->"0".
- disables Internet Explorer to start in offline mode by setting the registry HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings:
"GlobalUserOffline"-> "0"
- creates the following registry entry so that its copy is shared HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares: "shared"->"New folder.exe". If it finds any shared drivers, it copy itself on the under name “New folder.exe.”
- it spread itself via shared drives, removable drives and yahoo messenger.Last update 21 November 2011
