McAfee > Theat Center > Virus Detail Page

Overview

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Aliases

• IRC-Worm.Win32.Delf.an [Kaspersky]

• W32/Agent.S.gen!Eldorado [F-Prot]

• W32/Smalltroj.CPLV [Norman]

Characteristics

When executed, this worm drops the following files:

• %System%\temp.exe [Copy of Worm]
• %Temp%\~DsNiu!.bAt [Batch file to delete the worm, from where the worm was executed]

The worm then drops a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

Note:

• %System% is a variable that refers to the System folder.
  By default, this is C:\Windows\System32 for Windows XP
• %Temp% is a variable that refers to temp folder.
  By default, this is C:\Documents and settings\User\Local Settings\Temp

The following registry entries are created to ensure the execution of the worm at system startup:

• HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  Data: Services
  Value: C:\Windows\system32\temp.exe

The worm attempts to connect to the following sites:

• http://yzx65.vip0.25idc.cn:80/[Removed]

The above URL has the following embedded Iframe:

• “src=http://w.bmwoo.com/[Removed] width=1 height=1”

The above iframe if sucessfully rendered, could be used to serve an exploit and help spread other malware. At the time of writing this description, however, the above iframe URL seemed down.

Symptoms

Presence of files and registry entries mentioned earlier
Presence of the following autorun.inf file on the root of removable and fixed drives:

Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Aliases

• IRC-Worm.Win32.Delf.an [Kaspersky]

• W32/Agent.S.gen!Eldorado [F-Prot]

• W32/Smalltroj.CPLV [Norman]

Characteristics

Characteristics -

When executed, this worm drops the following files:

• %System%\temp.exe [Copy of Worm]
• %Temp%\~DsNiu!.bAt [Batch file to delete the worm, from where the worm was executed]

The worm then drops a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

Note:

• %System% is a variable that refers to the System folder.
  By default, this is C:\Windows\System32 for Windows XP
• %Temp% is a variable that refers to temp folder.
  By default, this is C:\Documents and settings\User\Local Settings\Temp

The following registry entries are created to ensure the execution of the worm at system startup:

• HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  Data: Services
  Value: C:\Windows\system32\temp.exe

The worm attempts to connect to the following sites:

• http://yzx65.vip0.25idc.cn:80/[Removed]

The above URL has the following embedded Iframe:

• “src=http://w.bmwoo.com/[Removed] width=1 height=1”

The above iframe if sucessfully rendered, could be used to serve an exploit and help spread other malware. At the time of writing this description, however, the above iframe URL seemed down.

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier
Presence of the following autorun.inf file on the root of removable and fixed drives:

Method of Infection

Method of Infection -

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A