Examples of Mal/Airworm-A include:
Example 1
Other vendor detection
- Avira
- TR/Autoit.CI.14
- Kaspersky
- Worm.Win32.AutoRun.hnw
- Trend
- WORM_DELF.FKZ
Runtime Analysis
Copies Itself To
- C:\WINDOWS\regsvr.exe
- C:\WINDOWS\system32\regsvr.exe
- C:\WINDOWS\system32\svchost .exe
Dropped Files
- C:\WINDOWS\system32\setup.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Msn Messsenger
- C:\WINDOWS\system32\regsvr.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
- shared
- \New Folder .exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NofolderOptions
- 0x00000000
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe regsvr.exe
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.yahoo.com/setting.doc
- http://www.yahoo.com/setting.xls
- http://yahoo.com/setting.doc
DNS Requests
Example 2
Runtime Analysis
Copies Itself To
- C:\WINDOWS\regsvr.exe
- C:\WINDOWS\system32\regsvr.exe
- C:\WINDOWS\system32\svchost .exe
- F:/New Folder .exe
- F:/regsvr.exe
Dropped Files
- C:\WINDOWS\system32\setup.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
- shared
- \New Folder .exe
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Msn Messsenger
- C:\WINDOWS\system32\regsvr.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NofolderOptions
- 0x00000000
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe regsvr.exe
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.yahoo.com/setting.doc
- http://www.yahoo.com/setting.xls
- http://yahoo.com/setting.doc
- http://yahoo.com/setting.xls
DNS Requests
Example 3
Runtime Analysis
Copies Itself To
- C:\WINDOWS\regsvr.exe
- C:\WINDOWS\system32\regsvr.exe
- C:\WINDOWS\system32\svchost .exe
- F:/New Folder .exe
- F:/regsvr.exe
Dropped Files
- C:\WINDOWS\system32\setup.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
- shared
- \New Folder .exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NofolderOptions
- 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Msn Messsenger
- C:\WINDOWS\system32\regsvr.exe
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe regsvr.exe
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.yahoo.com/setting.doc
- http://www.yahoo.com/setting.xls
- http://yahoo.com/setting.doc
- http://yahoo.com/setting.xls
DNS Requests