W32/Mobler-C

Category: Viruses and Spyware Protection available since:11 Oct 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:10 Jan 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Mobler-C is a worm for the Windows platform.

W32/Mobler-C spreads by coping itself to the available network shares including floppies, fixed drives, USB devices. W32/Mobler-C is a worm for the Windows platform.

W32/Mobler-C spreads by coping itself to the available network shares including floppies, fixed drives, USB devices.

When first run W32/Mobler-C copies itself to:

<User>\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
<Common Files>\Microsoft Shared\Grphflt\MS.JPG.exe
<Common Files>\Microsoft Shared\Stationery\Clear Day Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Fiesta Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Glacier Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Leaves Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Maize Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Nature Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Pie Charts Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Sunflower Bkgrd.jpg.exe
<Program Files>\Microsoft Office\Templates\Access\100.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\GRAY.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\GRAYST.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MC.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MCST.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MSACCESS.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\SKY.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\STONES.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\TILES.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\ZIGZAG.JPG.exe
\nia_ramadani.exe
<Windows>\Web\Wallpaper\Ascent.jpg.exe
<Windows>\Web\Wallpaper\Autumn.jpg.exe
<Windows>\Web\Wallpaper\Azul.jpg.exe
<Windows>\Web\Wallpaper\Crystal.jpg.exe
<Windows>\Web\Wallpaper\Follow.jpg.exe
<Windows>\Web\Wallpaper\Friend.jpg.exe
<Windows>\Web\Wallpaper\Home.jpg.exe
<Windows>\Web\Wallpaper\Moon flower.jpg.exe
<Windows>\Web\Wallpaper\Peace.jpg.exe
<Windows>\Web\Wallpaper\Power.jpg.exe
<Windows>\Web\Wallpaper\Purple flower.jpg.exe
<Windows>\Web\Wallpaper\Radiance.jpg.exe
<Windows>\Web\Wallpaper\Red moon desert.jpg.exe
<Windows>\Web\Wallpaper\Ripple.jpg.exe
<Windows>\Web\Wallpaper\Stonehenge.jpg.exe
<Windows>\Web\Wallpaper\Tulips.jpg.exe
<Windows>\Web\Wallpaper\Vortec space.jpg.exe
<Windows>\Web\Wallpaper\Wind.jpg.exe
<Windows>\Web\Wallpaper\Windows XP.jpg.exe
<Windows>\host.exe
<Windows>\pchealth\helpctr\System\DVDUpgrd\stripe.jpg.exe
<Windows>\pchealth\helpctr\System\sysinfo\graphics\greendot.jpg.exe
<System>\oobe\html\mouse\images\bulzano.jpg.exe
<System>\oobe\html\mouse\images\bulzanom.jpg.exe
<System>\oobe\html\mouse\images\heidelb.jpg.exe
<System>\oobe\html\mouse\images\heidelbm.jpg.exe
<System>\oobe\html\mouse\images\paris.jpg.exe
<System>\oobe\html\mouse\images\parism.jpg.exe
<System>\oobe\html\mouse\images\pisa.jpg.exe
<System>\oobe\html\mouse\images\pisam.jpg.exe
<System>\oobe\html\mouse\images\prague.jpg.exe
<System>\oobe\html\mouse\images\praguem.jpg.exe
<System>\oobe\html\mouse\images\tyrol.jpg.exe
<System>\oobe\html\mouse\images\tyrolm.jpg.exe
<System>\oobe\html\mouse\images\venice.jpg.exe
<System>\oobe\html\mouse\images\venicem.jpg.exe
<System>\oobe\html\mouse\images\verona.jpg.exe
<System>\oobe\html\mouse\images\veronam.jpg.exe
<System>\oobe\images\backdown.jpg.exe
<System>\oobe\images\backoff.jpg.exe
<System>\oobe\images\backover.jpg.exe
<System>\oobe\images\backup.jpg.exe
<System>\oobe\images\mslogo.jpg.exe
<System>\oobe\images\newbtm1.jpg.exe
<System>\oobe\images\newbtm8.jpg.exe
<System>\oobe\images\newmark1.jpg.exe
<System>\oobe\images\newmark8.jpg.exe
<System>\oobe\images\newtop1.jpg.exe
<System>\oobe\images\newtop8.jpg.exe
<System>\oobe\images\nextdown.jpg.exe
<System>\oobe\images\nextoff.jpg.exe
<System>\oobe\images\nextover.jpg.exe
<System>\oobe\images\nextup.jpg.exe
<System>\oobe\images\oemcoa.jpg.exe
<System>\oobe\images\skipdown.jpg.exe
<System>\oobe\images\skipoff.jpg.exe
<System>\oobe\images\skipover.jpg.exe
<System>\oobe\images\skipup.jpg.exe
<System>\oobe\images\wpaback.jpg.exe
<System>\oobe\images\wpabtm.jpg.exe
<System>\oobe\images\wpaflag.jpg.exe
<System>\oobe\images\wpakey.jpg.exe
<System>\oobe\images\wpatop.jpg.exe

The following registry entry is created to run host.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
<Windows>\host.exe

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
DefaultValue
1

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy