Content
W32/Blune
- Type
- Virus
- SubType
- Overwriter
- Discovery Date
- 08/09/2007
- Length
- 224,382 bytes
- Minimum DAT
- 5095 (08/10/2007)
- Updated DAT
- 5268 (04/07/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 08/09/2007
- Description Modified
- 08/09/2007 8:08 AM (PT)
Tab Navigation
Characteristics
W32/Blune is a worm which spreads via removable devices and it's payload is to overwrite executables on infected systems with a copy of itself.
Upon execution worm does following changes to user's system:
Copies of itself to following folders as shown below:
- %Windows%\Media\svchost.exe
- %Windows%\winhelp32.exe.exe
- %Program Files%\Common Files\System\winlogon.exe
Adds following registry entries to get executed on each reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ServiceHost" C:\WINDOWS\Media\svchost.exe
"Windows Logon" C:\Program Files\Common Files\System\winlogon.exe
Adds following registry entries to disable Registry tools and Task manger.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableChangePassword"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
Folder iconed Worm modifies below registry key to hide it's extension.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt"
Symptoms
Executables on the infected system are overwritten with a copy of the worm. Overwritten files usually have the icon of a folder.
Method of Infection
W32/Blune propogates via removable devices.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
W32/Blune is a worm which spreads via removable devices and it's payload is to overwrite executables on infected systems with a copy of itself.
Aliases
- PE_BLUNE.A-O (Trend Micro)
- W32.Blune (Symantec)
Characteristics
Characteristics -
W32/Blune is a worm which spreads via removable devices and it's payload is to overwrite executables on infected systems with a copy of itself.
Upon execution worm does following changes to user's system:
Copies of itself to following folders as shown below:
- %Windows%\Media\svchost.exe
- %Windows%\winhelp32.exe.exe
- %Program Files%\Common Files\System\winlogon.exe
Adds following registry entries to get executed on each reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ServiceHost" C:\WINDOWS\Media\svchost.exe
"Windows Logon" C:\Program Files\Common Files\System\winlogon.exe
Adds following registry entries to disable Registry tools and Task manger.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableChangePassword"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
Folder iconed Worm modifies below registry key to hide it's extension.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt"
Symptoms
Symptoms -
Executables on the infected system are overwritten with a copy of the worm. Overwritten files usually have the icon of a folder.
Method of Infection
Method of Infection -
W32/Blune propogates via removable devices.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
