Content

W32/Autorun.worm.g!AED72F1F

Type
Internet Worm
SubType
Peer To Peer
Discovery Date
03/28/2008
Length
43,520 bytes
Minimum DAT
5263 (03/31/2008)
Updated DAT
5263 (03/31/2008)
Minimum Engine
5.1.00
Description Added
03/28/2008
Description Modified
03/28/2008 3:24 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a worm which can propagate over removable media and network drives and cause execution of malicious code via an autorun.inf file.

  • <DRIVE>[drive]:\Autorun.inf
  • <DRIVE>[drive]:\ctfmon.exe

It copies itself to the logged on user's profile directory as ctfmon.exe and creates a registry run key to load itself at system startup as well as display and html text file dropped in the windows directory:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows Autorun = "C:\WINDOWS\firma.html"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows Live Messenger 8.12 = "C:\Documents and Settings\Administrator\ctfmon.exe"

Additionally this virus looks for the shared folder directories for various peer to peer file sharing applications.  It then creates files with the following names within the directory so that the peer to peer application will allow the files to be shared to other clients on the network.

  • Antivirus Nod32.scr
  • Avril Lavigne - GirlFriend.scr
  • Brute Force cracker 2007 [by Khronos].scr
  • Counter Strike Source + serials.scr
  • Cracks 2007.scr
  • Disturbed - Down with the sickness.scr
  • Elsa Pataky.scr
  • Hack messenger.scr
  • KeyGenerator 2007 + 1000 serials [by Khronos].scr
  • Linkin Park - Faint.scr
  • Linkin Park - In the end.scr
  • Manga porn.scr
  • Manual del hacker.scr
  • Matrix the film.scr
  • Pamel Anderson pictures.scr
  • Sexy Video.scr
  • The best porn.scr
  • Ubuntu AMD 64 crack + serials [by Khronos].scr
  • Video xXx.scr
  • Windows Vista Crack.scr
  • Youtube videos downloader.scr

It also creates the following two text files in the in the windows directory. %windir%

  • cmd.html
  • firma.html

These files contain the following HTML text:

----------------------------------------------------------------------

W32.LinkinPark

Gedzac Labs Returns

CopyLeft 2007 made in CodeGear Delphi 2007

Puedes estar tranquilo que este worm es inofensivo. Regresa Gedzac Labs ten mas cuidado, a lo mejor la proxima vez no es una broma :p

----------------------------------------------------------------------

Symptoms

  • Presence of the mentioned file(s)/registry key(s)
  • Unexpected termination of running processes
  • Unexpected program executation from removable or network drive(s)

Method of Infection

This worm can propagate over removable media and network drives and cause the automatic execution of malicious code via an autorun.inf file.  It can also spread via various peer to peer networks using the filenames mentioned above

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a worm which can propagate over removable media and network drives and cause execution of malicious code via an autorun.inf file.

Aliases

  • Trojan:Win32/Malagent (Microsoft)
  • W32/Cazdeg.B.worm (Panda)

Characteristics

Characteristics -

This is a worm which can propagate over removable media and network drives and cause execution of malicious code via an autorun.inf file.

  • <DRIVE>[drive]:\Autorun.inf
  • <DRIVE>[drive]:\ctfmon.exe

It copies itself to the logged on user's profile directory as ctfmon.exe and creates a registry run key to load itself at system startup as well as display and html text file dropped in the windows directory:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows Autorun = "C:\WINDOWS\firma.html"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Windows Live Messenger 8.12 = "C:\Documents and Settings\Administrator\ctfmon.exe"

Additionally this virus looks for the shared folder directories for various peer to peer file sharing applications.  It then creates files with the following names within the directory so that the peer to peer application will allow the files to be shared to other clients on the network.

  • Antivirus Nod32.scr
  • Avril Lavigne - GirlFriend.scr
  • Brute Force cracker 2007 [by Khronos].scr
  • Counter Strike Source + serials.scr
  • Cracks 2007.scr
  • Disturbed - Down with the sickness.scr
  • Elsa Pataky.scr
  • Hack messenger.scr
  • KeyGenerator 2007 + 1000 serials [by Khronos].scr
  • Linkin Park - Faint.scr
  • Linkin Park - In the end.scr
  • Manga porn.scr
  • Manual del hacker.scr
  • Matrix the film.scr
  • Pamel Anderson pictures.scr
  • Sexy Video.scr
  • The best porn.scr
  • Ubuntu AMD 64 crack + serials [by Khronos].scr
  • Video xXx.scr
  • Windows Vista Crack.scr
  • Youtube videos downloader.scr

It also creates the following two text files in the in the windows directory. %windir%

  • cmd.html
  • firma.html

These files contain the following HTML text:

----------------------------------------------------------------------

W32.LinkinPark

Gedzac Labs Returns

CopyLeft 2007 made in CodeGear Delphi 2007

Puedes estar tranquilo que este worm es inofensivo. Regresa Gedzac Labs ten mas cuidado, a lo mejor la proxima vez no es una broma :p

----------------------------------------------------------------------

Symptoms

Symptoms -

  • Presence of the mentioned file(s)/registry key(s)
  • Unexpected termination of running processes
  • Unexpected program executation from removable or network drive(s)

Method of Infection

Method of Infection -

This worm can propagate over removable media and network drives and cause the automatic execution of malicious code via an autorun.inf file.  It can also spread via various peer to peer networks using the filenames mentioned above

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A