Content

W32/Atin.worm

Type
Virus
SubType
Worm
Discovery Date
02/04/2008
Length
varies
Minimum DAT
5222 (02/04/2008)
Updated DAT
5222 (02/04/2008)
Minimum Engine
5.1.00
Description Added
02/04/2008
Description Modified
02/07/2008 2:48 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm has an icon of a folder.

On execution, this worm copies itself into every folder on all drives, with the same name as that of the host folder.
It also copies itself into removable drives.

The worm changes the Window Title of Internet Explorer, by adding the following registry key.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Window Title" = ::::::::NITA_WORM::::::::

 

The worm Changes the Start Page and Search Page by modifying the following registry keys.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = www.N[removed].net
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = www.INI_[removed].com

 

The worm adds the following registry keys to load itself at system startup.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "load" = \New Folder.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load" = \New Folder.exe

 

The worm changes the names and icons of MyComputer and RecycleBin, by modifying values in the following Registry keys

  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

 

The worm disables many features of Explorer, including disabling right click - context menu, by adding the following registry keys.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoClose" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoStartMenuMorePrograms" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewOnDrive" = 1

 

This worm also creates following registry keys, to disable access to certain system tools.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "ansav.exedebugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "A-VSafeRun.exedebugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe "debugger"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe "debugger" = explorer.exe

 

This worm also adds the following registry entries.

  • HKEY_CLASSES_ROOT\batfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\dllfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\exefile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\htmlfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\inifile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer "ShowDriveLettersFirst" = 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "DisableThumbnailCache" = 1
  • HKEY_CLASSES_ROOT\exefile "InfoTip" = Folder is empty
  • HKEY_CLASSES_ROOT\inffile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProgramFilesDir" = NITA_WORM was here.exe

Symptoms

"My Computer" renamed as "Recycle Bin" and having a folder icon.
"Recycle Bin" renamed as "My Computer".
Presence of files with folder icon in all folders with the same name as the host folder.
Certain features of Explorer not working. e.g Right click - context menu not displayed.

Method of Infection

This worm may come via a spammed email or malicious link, or it may be spread by its intended method of infected removable drives and file sharing.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm which purports itself to be a folder.
This worm copies itself to all drives, including Removable drives.

Aliases

  • Trojan:Win32/Malagent (Microsoft)
  • W32/VBWorm.OSG (Norman)
  • Worm.Win32.VB.zaj (Rising RavScan)

Characteristics

Characteristics -

This worm has an icon of a folder.

On execution, this worm copies itself into every folder on all drives, with the same name as that of the host folder.
It also copies itself into removable drives.

The worm changes the Window Title of Internet Explorer, by adding the following registry key.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Window Title" = ::::::::NITA_WORM::::::::

 

The worm Changes the Start Page and Search Page by modifying the following registry keys.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = www.N[removed].net
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = www.INI_[removed].com

 

The worm adds the following registry keys to load itself at system startup.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "load" = \New Folder.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load" = \New Folder.exe

 

The worm changes the names and icons of MyComputer and RecycleBin, by modifying values in the following Registry keys

  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

 

The worm disables many features of Explorer, including disabling right click - context menu, by adding the following registry keys.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoClose" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoStartMenuMorePrograms" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewOnDrive" = 1

 

This worm also creates following registry keys, to disable access to certain system tools.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "ansav.exedebugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "A-VSafeRun.exedebugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe "debugger"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe "debugger" = explorer.exe

 

This worm also adds the following registry entries.

  • HKEY_CLASSES_ROOT\batfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\dllfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\exefile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\htmlfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\inifile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer "ShowDriveLettersFirst" = 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "DisableThumbnailCache" = 1
  • HKEY_CLASSES_ROOT\exefile "InfoTip" = Folder is empty
  • HKEY_CLASSES_ROOT\inffile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProgramFilesDir" = NITA_WORM was here.exe

Symptoms

Symptoms -

"My Computer" renamed as "Recycle Bin" and having a folder icon.
"Recycle Bin" renamed as "My Computer".
Presence of files with folder icon in all folders with the same name as the host folder.
Certain features of Explorer not working. e.g Right click - context menu not displayed.

Method of Infection

Method of Infection -

This worm may come via a spammed email or malicious link, or it may be spread by its intended method of infected removable drives and file sharing.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A