W32/Pykse-C

Category: Viruses and Spyware Protection available since:11 Sep 2007 18:01:43 (GMT)
Type: Win32 worm Last Updated:11 Sep 2007 18:01:43 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Pykse-C is a worm for the Windows platform.

W32/Pykse-C includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Pykse-C copies itself to:

<System>\mshtmldat32.exe
<System>\sdrivew32.exe
<System>\winlgcvers.exe
<System>\wndrivs32.exe

As well as to any removable drives as:

<Removable Drive>:\game.exe
<Removable Drive>:\zjbs.exe

It will also create an AUTORUN.INF file whihc is detected as W32/Pykse-C.

The following registry entry is created to run mshtmldat32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Services Start
mshtmldat32.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Policies Options
m

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Windows Sys
explorer.exe mshtmldat32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Logon Settings
mshtmldat32.exe

Registry entries are created under:

HKCU\Software\RMX\cfg
HKLM\SOFTWARE\RMX\cfg

Sophos's anti-virus products include Behavioral Genotype® Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against W32/Pykse-C (detected as Mal/Behav-043) since version 4.18.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy