W32/Baysur-A is a worm for the Windows platform.
W32/Baysur-A attempts to spread to removable drives by copying itself to those drives and creating the file autorun.inf on them.
W32/Baysur-A is a worm for the Windows platform.
W32/Baysur-A attempts to spread to removable drives by copying itself to those drives and creating the file <Root>\autorun.inf on them. The file autorun.inf is designed to execute the worm when the removeable device is connected to an uninfected computer.
When first run the worm copies itself to the following locations:
<Root>\BIN.scr
<Root>\NV.scr
<Root>\powerarchiver.scr
<Root>\Recycled.scr
<Root>\Program Files.scr
<Root>\STARTUP.scr
<Root>\System Volume Information.scr
<Root>\Thumbs.com
<Root>\WINDOWS.scr
W32/Baysur-A creates the following files
<Root>\Autorun.inf
<Root>\Thumbs .db
<Windows>\Thumbs .db
<Startup>\Adobe Online.com
<Startup>\Adobe Update.com
<Startup>\Autoexec.bat
The following registry entries are set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCation
"<Random Text> - 24.01.2007 Surabaya"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText
"Surabaya in my birthday"
"Don't kill me, i'm just send message from your computer"
"Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti"
"Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku"
"Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal"
"Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0"