high
Summary
Summary
Action- More Information
| Protection available since | 29 March 2004 14:05:53 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Aozo-B is a worm that spreads through local remote shares, filesharing networks and an IRC channels.
When executed W32/Aozo-B creates a number of copies of itself, as:
- notepad.exe in the Windows folder
- w00t.exe in the Windows system folder
- Config.dll, W32.Darkness.Krew.exe and Windows Update.exe in the Windows system32 folder
- Config.dll, Mr_Zer0.exe and Mydoom Patch.exe in the root folder
- Windows Update.exe in the Windows Startup folder
W32/Aozo-B sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration Loader
with the path to the Windows Update.exe file
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
with the path to the System.exe file
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Msn Messenger
with the path to the Mr_Zer0.exe file
W32/Aozo-B also changes Internet Explorer settings by changing the following registry entry:
HKU\Software\Microsoft\Internet Explorer\Main\Start Page
= "http://www.gayporn.com"
W32/Aozo-B attempts to copy itself to the root folder shares as
All Your Games.exe.
W32/Aozo-B attempts to copy itself to the available share folders of peer-to-peer filesharing networks, or to C:\My Shared Folder, with the following filenames:
Aim bot 2004 .exe
All Vb Codes.exe
Credit Card Genarator 2004.exe
Darkness_Krew (Mr_Zer0,n1tr0,Mr_Docktor,HeXcoN).exe
Ddos Bot 2004.exe
Drug Wars 2004.exe
Hackers Expert (hack the world!).exe
Hotmail Hacker Gold 2004 (Special Edition).exe
Hotmail Password Stealer.exe
MirC Kick Bot.exe
Msblast - Patch.exe
Msn Messenger 6x Crasher.exe
Msn Messenger 6x Emotion Pack (More Than 1000).exe
Msn Webcam Hack (Watch any one with out them knowin!,MUST DOWNLOAD!).exe
My Doom (Get Rid Of The Nasty Worm!).exe
Mydoom patch! (working).exe
Need for Speed Underground (BOTS).exe
Norton 2004 (Crack).exe
Nuker 2004.exe
Optix pro 5.exe
Pussi-Lover-Game.exe
Quake 3 Aim bot.exe
Quake 4 (Demo Patch).exe
Serials 2004.exe
Steal Credit cards (Get them sent to your email!).exe
Sub 7 2004.exe
Sub 7 Password Cracker.exe
Syn flooder 2004.exe
Visual Basic 6 Decompiler.exe
W32.Darkness.krew.exe
Windows Keygen (ALL VERSION OF WINDOWS!).exe
Yahoo Webcam Hack.exe
Yahoo bot 2004 (kick,pw stealer etc).exe
aim kicker 2004.exe
ebook Visual Basic 6 (Black Book 2004.exe
hentai game cd patch.exe
W32/Aozo-B may create a mirc.ini script that sends out a copy of the worm with the filename windows~.exe.
As a payload W32/Aozo-B pings Symantec.com and download.com and may also share all drives on the infected machine.
W32/Aozo-B attempts to terminate a number of processes related to various anti-virus and security applications:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCAPP.EXE
CFIADMIN.EXE
ESAFE.EXE
CFIAUDIT.EXE
CFIND.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
DVP95_0.EXE
TerminateEXE
ECENGINE.EXE
EFINET32.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
FPROT95.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
JEDI.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
VET95.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VCONTROL.EXE
VET32.EXE
VET98.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZAPRO.EXE
or those containing one of the following strings:
zonealarm.EXE
mcafee.exe
navapsvc.exe
zaplus.exe
vsmon.exe
MS-DOS Prompt
Norton Antivirus
Registry Editor
Windows Task Manager
System Configuration Utility
close program
Norton AntiVirus Professional
ZoneAlarm Pro
|
