McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Antinny (NAV)

• W32/Antinny.worm.a

Characteristics

This worm attempts to propagate via a Japanese P2P file sharing software called Winny. A fake error message is first displayed when run.

The worm then drops the following legitimate dlls for archiving:

• unlha32.dll (sfx archiver)
• zip32.dll
• zip32j.dll

It then attempts to copy itself using attractive filenames to the upload directory of Winny for other users to download. The names of the files are concatenated using short strings in the virus body. Below are some examples of the filenames created:



The worm also contains a payload to delete the contents in the ../CACHE directory of Winny.

Symptoms

The worm creates an archive of itself using the dropped dlls and copies itself into the Program Files directory using a semi-random filename.

The filename is created by adapting the name of one of the executables in the subdirectories of C:\Program Files and then appending a random string at the end of the filename. Some examples are:

• C:\Progra~1\Online~1\AOL\AOLSETUPfa0.exe
• C:\Progra~1\Adobe\Acroba~1\Reader\AcroRd3236fa.exe

The worm also hooks the registry at startup using the following key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "ara-key" = C:\Progra~1\<RANDOM path> -StartUp

On Japanese operating systems, the virus copies itself to C:\TEMP\NY.EXE and the following key was added into the win.ini file to point to the location of Winny:

Method of Infection

This worm spreads via the Winny P2P network. It makes copies of itself available to other Winny users with enticing filenames. Spreading requires other users to download and manually run

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Antinny (NAV)

• W32/Antinny.worm.a

Characteristics

Characteristics -

This worm attempts to propagate via a Japanese P2P file sharing software called Winny. A fake error message is first displayed when run.

The worm then drops the following legitimate dlls for archiving:

• unlha32.dll (sfx archiver)
• zip32.dll
• zip32j.dll

It then attempts to copy itself using attractive filenames to the upload directory of Winny for other users to download. The names of the files are concatenated using short strings in the virus body. Below are some examples of the filenames created:



The worm also contains a payload to delete the contents in the ../CACHE directory of Winny.

Symptoms

Symptoms -

The worm creates an archive of itself using the dropped dlls and copies itself into the Program Files directory using a semi-random filename.

The filename is created by adapting the name of one of the executables in the subdirectories of C:\Program Files and then appending a random string at the end of the filename. Some examples are:

• C:\Progra~1\Online~1\AOL\AOLSETUPfa0.exe
• C:\Progra~1\Adobe\Acroba~1\Reader\AcroRd3236fa.exe

The worm also hooks the registry at startup using the following key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "ara-key" = C:\Progra~1\<RANDOM path> -StartUp

On Japanese operating systems, the virus copies itself to C:\TEMP\NY.EXE and the following key was added into the win.ini file to point to the location of Winny:

Method of Infection

Method of Infection -

This worm spreads via the Winny P2P network. It makes copies of itself available to other Winny users with enticing filenames. Spreading requires other users to download and manually run

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A