Content

W32/UA07

Type
Virus
SubType
Parasitic
Discovery Date
11/10/2007
Length
Minimum DAT
5161 (11/12/2007)
Updated DAT
5163 (11/14/2007)
Minimum Engine
5.1.00
Description Added
11/10/2007
Description Modified
11/10/2007 2:06 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/UA07 searches for other executable files and prepends its viral code.

It adds its 29366 Bytes of code at the beginning of the original file, so whenever that file is executed the virus is also executed. In addition, it encrypts the infected file within its body.

Symptoms

W32/UA07 deletes the following registry keys:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveTypeAutoRun"

And modifies the following keys to hide its existence and launch itself on system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"

It copies itself here:

  • c:\WINDOWS\system32\salo.exe
  • d:\tazebama.exe

It increases the size of infected files by 29366 Bytes.

Method of Infection

W32/UA07 is a file infecting virus. Infection starts with manual execution of the binary.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/UA07 is a parasitic virus that prepends itself to EXE files.

Characteristics

Characteristics -

W32/UA07 searches for other executable files and prepends its viral code.

It adds its 29366 Bytes of code at the beginning of the original file, so whenever that file is executed the virus is also executed. In addition, it encrypts the infected file within its body.

Symptoms

Symptoms -

W32/UA07 deletes the following registry keys:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveTypeAutoRun"

And modifies the following keys to hide its existence and launch itself on system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"

It copies itself here:

  • c:\WINDOWS\system32\salo.exe
  • d:\tazebama.exe

It increases the size of infected files by 29366 Bytes.

Method of Infection

Method of Infection -

W32/UA07 is a file infecting virus. Infection starts with manual execution of the binary.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A