Generic.dx!1DAEE3B9

Content

Generic.dx!1DAEE3B9

Type: Trojan
SubType: -
Discovery Date: 05/29/2008
Length: 2342912
Minimum DAT: 5306 (05/29/2008)
Updated DAT: 5306 (05/29/2008)
Minimum Engine: 5.2.00
Description Added: 05/29/2008
Description Modified: 05/29/2008 11:01 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

File Property	Property Value
File Name	astry.exe
McAfee Detection	New Malware.dq
Length	2,342,912 bytes
CRC32	1DAEE3B9
MD5	e13841f33f8a0bf9c50b61e154983bdd
SHA1	E9C3067FA964F607A62DBDEC67754A74534660F1

Other Common Detection Aliases

Company Name	Detection Name
AhnLab	Win32/Xema.worm.154436
Avast	Win32:VB-EYD [Wrm]
AVG (GriSoft)	Worm/VB.BWF
Avira	TR/Crypt.CFI.Gen
BitDefender	Win32.Worm.VB.NOZ
Dr.Web	~Win32.HLLW.Generic.209
EMSI Software	Worm.Win32.VB.hc
eSafe (Alladin)	suspicious Trojan/Worm [101]
F-Prot	W32/Worm.GDL
Kaspersky	Worm.Win32.VB.hc
Microsoft	worm:win32/agent
Norman	hupigon.gen83
Rising	Worm.Win32.VB.hc
Sophos	Mal/Behav-043
Symantec	Trojan Horse
Trend Micro	WORM_VB.AZ
Vba32	Worm.Win32.VB.hc
V-Buster	~NEW_VIRUS
Vet (Computer Associates)	Win32/Nofupat.A

Avert® Labs has observed the following system activities:

Activity	Risk Level
Modifies the Operating System Security Policy	High
Creates Registry Keys and Data values persistent on OS Reboot	Low
Writes Executable in the Windows Folder	Low

Other detections that have been observed.

File Name	McAfee Supported
c:\documents and settings\administrator\netwin.exe	New Malware.dq

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

%USERPROFILE%\netwin.exe

%WINDIR%\astry.exe

%WINDIR%\network-ipv6

%WINDIR%\network-ipv6\netwin.exe

%WINDIR%\scvhost.exe

%WINDIR%\system32\scvhost.exe

The following registry elements have been created:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\

disableregedit = 0
disableregistrytools = 0
disabletaskmgr = 0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\thickets\

bitmap = c:\windows\system32\shell32.dll,29
text = hidup bersama lo :

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\thickets\auto\

text = bakalan susah

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\thickets\nohide\

text = biasa aza

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\thickets\none\

text = bakalan senang

The following registry elements have been changed:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\

hidden = 49

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\

network ipv6 = c:\windows\network-ipv6\netwin.exe
networkdriver = c:\documents and settings\administrator\netwin.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\

shell = explorer.exe, scvhost.exe
userinit = c:\windows\system32\userinit.exe,scvhost.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\

bitmap = c:\windows\system32\shell32.dll,11
text = gue pikir2x lo itu:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\classicviewstate\

text = adik lo banyak

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\controlpanelinmycomputer\

text = pacar lo banyak

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\desktopprocess\

text = kurang taat ibadah

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\disablethumbcache\

text = sok tau

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\foldersizetip\

text = babe lo galak

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\friendlytree\

checkedvalue = 48
text = gue kangen berat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\

bitmap = c:\windows\system32\shell32.dll,22
text = semua tentang lo :

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\nohidden\

hkeyroot = 1010
text = akan gue lupakan semua

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\

checkedvalue = 49
defaultvalue = 49
hkeyroot = 1001
hkeyroot = 1018
text = akan gue ingat semua

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidefileext\

checkedvalue = 49
defaultvalue = 49
text = lo dugem terus

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\netcrawler\

text = terlalu banyak nuntut

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\persistbrowsers\

text = lo gak romantis

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\showcompcolor\

text = otak lo mesum

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\showfullpath\

text = lo bego

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\showfullpathaddress\

text = gue pandang2x lo jelek

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\showinfotip\

text = jarang jajan

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\simplesharing\

text = gak punya mobil

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden\

text = gue ada pacar baru

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\webviewbarricade\

text = gue masih cinta lo

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\tips\

0 = iloveu astry and never forget you
1 = iloveu astry and never forget you
10 = iloveu astry and never forget you
11 = iloveu astry and never forget you
12 = iloveu astry and never forget you
13 = iloveu astry and never forget you
14 = iloveu astry and never forget you
15 = iloveu astry and never forget you
16 = iloveu astry and never forget you
17 = iloveu astry and never forget you
18 = iloveu astry and never forget you
19 = iloveu astry and never forget you
2 = iloveu astry and never forget you
20 = iloveu astry and never forget you
21 = iloveu astry and never forget you
22 = iloveu astry and never forget you
23 = iloveu astry and never forget you
24 = iloveu astry and never forget you
25 = iloveu astry and never forget you
26 = iloveu astry and never forget you
27 = iloveu astry and never forget you
28 = iloveu astry and never forget you
29 = iloveu astry and never forget you
3 = iloveu astry and never forget you
30 = iloveu astry and never forget you
31 = iloveu astry and never forget you
32 = iloveu astry and never forget you
33 = iloveu astry and never forget you
34 = iloveu astry and never forget you
35 = iloveu astry and never forget you
36 = iloveu astry and never forget you
37 = iloveu astry and never forget you
38 = iloveu astry and never forget you
39 = iloveu astry and never forget you
4 = iloveu astry and never forget you
40 = iloveu astry and never forget you
41 = iloveu astry and never forget you
42 = iloveu astry and never forget you
43 = iloveu astry and never forget you
44 = iloveu astry and never forget you
45 = iloveu astry and never forget you
46 = iloveu astry and never forget you
47 = iloveu astry and never forget you
48 = iloveu astry and never forget you
49 = iloveu astry and never forget you
5 = iloveu astry and never forget you
50 = iloveu astry and never forget you
6 = iloveu astry and never forget you
7 = iloveu astry and never forget you
8 = iloveu astry and never forget you
9 = iloveu astry and never forget you

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\

legalnoticecaption = windows update
legalnoticetext = windows update (6300-ngsrp-tmr521a-smg-542ph-3180) .
check system setting or upgrade system.maybe your system not full
patch .system still safe. www.microsoft.com patch code :
as3-ctrkea-sr.

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.