W32/SillyFDC-BN is a worm for the Windows platform.
W32/SillyFDC-BN includes functionality to access the internet and communicate with a remote server via HTTP.
W32/SillyFDC-BN spreads via removable shared drives by copying itself to <Root>\RECYCLER\RECYCLER\autorun.exe and creating the file <Root>\autorun.inf. The file <Root>\autorun.inf is also detected as W32/SillyFDC-BG and is designed to run the worm when the removable drive is connected to an uninfected computer.
When first run W32/SillyFDC-BN copies itself to <Windows>\msmsgs.exe and creates the following files:
<Common Files>\Microsoft Shared\MSInfo\zrpacinr.dll
<Common Files>\Microsoft Shared\MSInfo\zrpacinr.drv
<Common Files>\Microsoft Shared\MSInfo\zrpacinr.sys
<Windows>\Debug\passdb.log
<Windows>\Debug\sysdbg.dll
<Windows>\Debug\sysdeb.ini
The file zrpacinr.dll is detected as Mal/Behav-010, the file zrpacinr.dv is detected as Troj/PcClien-KR and the file zrpacinr.sys is detected as Troj/RKProc-H. The files passdb.log, sysdbg.dll and sysdeb.ini are not malicious and may be deleted.
The following registry entry is created to run W32/SillyFDC-BN on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Messenger
<Windows>\msmsgs.exe
The file zrpacinr.sys is registered as a new system driver service named "zrpacinr", with a display name of "zrpacinr" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\zrpacinr