Home / malware Trojan.Autorun.ND
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Autorun.ND.
Explanation :
When executed the file copies itself to
%windir%killer.exe
%windir%Funny UST Scandal.exe
%windir%smss.exe
It creates an autorun.inf file inside windows directory so every time the user enters the windows directory the smss.exe file created above will be executed.
It creates a copy of the virus on the root folder of each drive under the name of smss.exe and Funny UST Scandal.exe. The autorun.inf is also copied so the virus can start each time an user enters on one of the drives using windows explorer.
In order to start at windows startup, it copies itself to
%WindowsDrive%Documents and SettingsAll usersStart MenuProgramsStartuplsass.exe
it adds a value named RunOnce under the key HKCUSoftwareMicrosoftWindowsCurrentVersionRun
it modifies the value HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell so the virus will start with explorer.exe
it modifies the value HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL to 0 so the hidden files won’t be seen.
When it finds a window that starts with one of the word “Task”,”Process”, ”Registry”, ”Setup”, ”Installation”, ”Virus”, ”Configuration”,”Policy”,” “system32”, ”Security”,”Folder Options” it closes or hides the window.
It searches for an active conversation on yahoo messenger, types the message “open dis ganda nakakatawa” and then send the virus.
It changes the user status to “sino gusto funny scandal ust pm nio ko”;Last update 21 November 2011
