Turkish Delight
Today SophosLabs received a new worm from the field which was quite similar to the W32/SillyFD family, but different enough to make it a new family. Detection has been added as W32/Amca-A.
The worm is written in VisualBasic by some Turkish hackers. The name is coming from a reference in the code saying “Paylasim Acma(C,D).exe“.
It has several components packed into a WinRar SFX. Besides installing itself into the system32 folder, it creates two simple command files <System>\acd.cmd and <System>\acd2.cmd which are used to share the drives of the infected machines. These files contain a simple command:
net share PATRON1=d:\ /unlimited /remark:"RockStar"
Also, similarly to the SillyFD worms, it spreads to USB drives, creating 2 hidden files there: activexdebugger32.exe and Autorun.inf. This latter one is used to autorun the exe when the drive is connected to a new machine.
Filed under: Malware
Windows 7 security - A great leap forward or business as usual?
