W32/SillyFD-AA

Category: Viruses and Spyware Protection available since:03 May 2007 00:00:00 (GMT)
Type: Win32 worm Last Updated:03 May 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/SillyFD-AA is a worm for the Windows platform.

Once installed W32/SillyFD-AA spreads through removable storage devices, including floppy drives and USB keys. The worm attempts to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive with the hidden filename <Root>\handydriver.exe.

The file <Root>\Autorun.inf is designed to start the worm once the removable drive is connected to a uninfected computer.

W32/SillyFD-AA copies itself to the following locations:
<Root>\kerneldrive.exe
<Windows>\regedit.exe
<Windows>\pchealth\helpctr\Binaries\msconfig.exe
<System>\systeminit.exe
<System>\wininit.exe
<System>\winsystem.exe
<System>\cmd.exe
<System>\taskmgr.exe


W32/SillyFD-AA also creates the following file <Root>\autorun.inf.

The following registry entries are set to run W32/SillyFD-AA to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\systeminit.exe,

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wininit
<System>\wininit.exe


The following registry entries are also set:

HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Hacked by 1BYTE

HKCU\Software\Microsoft
ServicePack
1.2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchSystemDirs
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft
nFlag
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
1

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy