Content
W32/USBCasv
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 03/28/2007
- Length
- 93,612 bytes
- Minimum DAT
- 4994 (03/28/2007)
- Updated DAT
- 5654 (06/22/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 03/28/2007
- Description Modified
- 06/12/2007 3:08 AM (PT)
Tab Navigation
Characteristics
When W32/USBCasv is executed it copies itself to the following folder locations:
- %Temp%\s.exe
- %SysDir%\odbcasvc.exe
The worm isntalls itself as a Service named 'ODBC Administration Service' by creating the following registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc "DisplayName" = ODBC Administration Service
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc "ImagePath" = C:%SysDir%\odbcasvc.EXE
The worm contains it's own SMTP engine and therefore is capable of mailing out information about the infected system or user details without the need of a email client such as MS Outlook.
Symptoms
Presence of the file and registry keys created as mentioned in the characteristics.
Method of Infection
The worm spreads by copying itself as INFO.EXE in a created folder called Recycled on to all removable drives :
A corresponding file AUTORUN.INF is dropped onto the victim's system and contains the following:
[autorun]
open=.\recycled\info.exe
shell\1=ä¯ÀÀ
shell\1\Command=.\recycled\info.exe
shellexecute=.\recycled\info.exe
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This detection is for a worm that spreads by copying ittself to removable media. It is also capable of send system information form the victim's machine to a remote email address.
Characteristics
Characteristics -
When W32/USBCasv is executed it copies itself to the following folder locations:
- %Temp%\s.exe
- %SysDir%\odbcasvc.exe
The worm isntalls itself as a Service named 'ODBC Administration Service' by creating the following registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc "DisplayName" = ODBC Administration Service
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc "ImagePath" = C:%SysDir%\odbcasvc.EXE
The worm contains it's own SMTP engine and therefore is capable of mailing out information about the infected system or user details without the need of a email client such as MS Outlook.
Symptoms
Symptoms -
Presence of the file and registry keys created as mentioned in the characteristics.
Method of Infection
Method of Infection -
The worm spreads by copying itself as INFO.EXE in a created folder called Recycled on to all removable drives :
A corresponding file AUTORUN.INF is dropped onto the victim's system and contains the following:
[autorun]
open=.\recycled\info.exe
shell\1=ä¯ÀÀ
shell\1\Command=.\recycled\info.exe
shellexecute=.\recycled\info.exe
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
