Content

W32/Bindo.worm

Type
Virus
SubType
Worm
Discovery Date
10/29/2007
Length
139.264
Minimum DAT
5152 (10/30/2007)
Updated DAT
5838 (12/20/2009)
Minimum Engine
5.1.00
Description Added
10/29/2007
Description Modified
10/29/2007 7:25 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.

The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.

Upon execution, it runs silently, no gui messages appear on the screen.

It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SoundMax"
      Data: C:\Program Files\Sound Utility\Soundmax.exe

Besides that it might change the registry with

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "Nofolderoptions"
      Data: 01, 00, 00, 00

The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as "Sex_ScreenSaver.scr" and/or "Sex_Game.exe".

There's no exploit associated with it, infection starts with manual execution of the worm.

  • c:\autoply.exe (size: 139.264 bytes)
  •  c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
  •  c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
  •  c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
  •  c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)

Besides these it might try to drop/create:

  •  c:\Autorun.inf (size: 301 bytes)
  • A file called "important.htm" on the desktop, titled Salam - Doste - Man.

     

     

    • Symptoms

    • Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
    • Presence of the mentioned registry modifications
    • It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
    • It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.

     

     

    Method of Infection

    • The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
    • There's no exploit associated with it, infection starts with manual execution of the worm.

     

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.

    Characteristics

    Characteristics -

    Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.

    The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.

    Upon execution, it runs silently, no gui messages appear on the screen.

    It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SoundMax"
        Data: C:\Program Files\Sound Utility\Soundmax.exe

    Besides that it might change the registry with

    •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "Nofolderoptions"
        Data: 01, 00, 00, 00

    The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as "Sex_ScreenSaver.scr" and/or "Sex_Game.exe".

    There's no exploit associated with it, infection starts with manual execution of the worm.

    • c:\autoply.exe (size: 139.264 bytes)
    •  c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
    •  c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
    •  c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
    •  c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)

    Besides these it might try to drop/create:

  •  c:\Autorun.inf (size: 301 bytes)
  • A file called "important.htm" on the desktop, titled Salam - Doste - Man.

     

     

    • Symptoms

    Symptoms -

    • Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
    • Presence of the mentioned registry modifications
    • It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
    • It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.

     

     

    Method of Infection

    Method of Infection -

    • The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
    • There's no exploit associated with it, infection starts with manual execution of the worm.

     

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A