Home / malware Win32.Worm.Antinny.BJ
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Antinny.BJ is also known as Worm.Win32.Antinny.aw, Win32/Antinny.AK!Worm, WORM_ANTINNY.BJ, W32/Antinny.worm.ab, W32/Antinny.BP.
Explanation :
This virus arrives via Winny peer-to-peer application or file-sharing networks that use Share.exe
If the user is tricked into executing the scr file, the virus will do:
1. Display a fake message in Japanese.
2. Creates and runs a copy of itself as:
C:ÄEÉl.scr (C:(japanese text).scr)
3. Creates and deletes file FILE.BAT that attempts to delete itself and the virus copy created previously. However, deletion of C:ÄEÉl.scr will not work, while FILE.BAT will be deleted.
4. Modifies WIN.INI file with an infection marker
[ÄEÉl]
ÄEê╙=1
5. Creates a folder UP in %WINDOWS% folder:
%WINDOWS%UP
This folder will be shared in Winny and Share application. A zip file containing a copy of the worm and some documents will be created here.
6. Searches for Winny and Share application folders.
7. If Winny application is installed, the virus modifies the configuration file UpFolder.txt for Winny file-sharing application:
[BBS]
Path=%WINDOWS%Up
Trip=(date_of_infection)-(time_of_infection)
8. If Share application is installed, the virus modifies the configuration file Folder.ini for the Share application:
[UpFolder1]
Path=%WINDOWS%Up
9. Searches for files matching:
.doc
.xls
.mdb
.ppt
.dbx
.eml
10. Spreading and information theft:
Creates a zip file in shared %WINDOWS%UP folder:
%WINDOWS%UP[ÄEÉl] user_name(date_of_infection-time_of_infection)(random japanese characters).zip
that contains a copy of the worm (random japanese characters).scr
and also files found at step 9 (information theft)Last update 21 November 2011
