high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 22 July 2005 12:57:29 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<randomly chosen existing folder name>
<path to worm> /startup
and delete it if it exists.
Close the registry editor.
More Information
W32/Antinny-L is a P2P worm for the Windows platform. W32/Antinny-L spreads via file sharing on WinNY networks.
When first run W32/Antinny-L enumerates the various folders on the infected computer and randomly selects an existing folder name and then appends the folder name with any of the following strings followed by an '.exe' extension and copies itself to that folder as that name:
'_cfg'
'_config'
'_start'
'_login'
'_setup'
'_env'
'_loader'
'_autorun'
For example, if the randomly chosen folder name is "example", the worm may attempt to copy itself to the
W32/Antinny-L then creates the file <Temp>\<original executable filename>.mp3 which contains only an ID3 tag with corrupt data and runs Windows Media Player to play that corrupt MP3 file. As the file is corrupted, Windows Media Player will not play the file correctly and will report an error message.
W32/Antinny-L includes functionality to access the internet and communicate with a remote server via HTTP. W32/Antinny-L is a P2P worm for the Windows platform. W32/Antinny-L spreads via file sharing on WinNY networks.
When first run W32/Antinny-L enumerates the various folders on the infected computer and randomly selects an existing folder name and then appends the folder name with any of the following strings followed by an '.exe' extension and copies itself to that folder as that name:
'_cfg'
'_config'
'_start'
'_login'
'_setup'
'_env'
'_loader'
'_autorun'
For example, if the randomly chosen folder name is "example", the worm may attempt to copy itself to the <example> folder as "example_config.exe".
W32/Antinny-L then creates the file <Temp>\<original executable filename>.mp3 which contains only an ID3 tag with corrupt data and runs Windows Media Player to play that corrupt MP3 file. As the file is corrupted, Windows Media Player will not play the file correctly and will report an error message.
W32/Antinny-L then creates the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<randomly chosen existing folder name>
<path to worm> /startup
W32/Antinny-L includes functionality to access the internet and communicate with a remote server via HTTP.
|
