high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 7 May 2008 18:08:28 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Autorun-DV is a Windows worm.
When W32/Autorun-DV is installed the following files are created:
%HISTORY%\History.IE5\MSHist012008050720080508\index.dat
%PROFILE%\Recent\autocom.lnk
%PROFILE%\Recent\bin.lnk
%MY_DOCUMENTS%\results.txt
<System>\~A~m~B~u~R~a~D~u~L~\csrss.exe
<System>\~A~m~B~u~R~a~D~u~L~\smss.exe
<System>\~A~m~B~u~R~a~D~u~L~\lsass.exe
<System>\~A~m~B~u~R~a~D~u~L~\services.exe
<System>\~A~m~B~u~R~a~D~u~L~\winlogon.exe
<System>\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
<System>\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Also these file will be created on USB keys as well and the hard drive:
\Autorun.inf
\MyImages.exe
\J3MbataN K4HaYan.exe
\PaLMa.exe
\Friendster Community.exe
\FoToKu 7-5-2008.exe
\Images\_PAlbTN\GePaCar4an Neh!!!.exe
\Images\PiKnIk dT4ngKilin9.exe
The following registry entries are created to run W32/Autorun-DV on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVManager = C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\csrss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\lsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ConfigVir = C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
|
