high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 13 January 2006 22:26:36 (GMT) |
| Last updated | 25 January 2006 06:31:48 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Decoy-A is a worm for the Windows platform that disguises itself with a MS Word icon.
W32/Decoy-A spreads by:
-coping itself to the available drives and shared folders using the following filenames:
AdultOnly.exe
Asian.exe
Virtual Girl.exe
Winamp590.exe
Winrar09.exe
WinZip XP Final.exe
X-Photos.exe
BestModel.exe
Cool Screen Saver.exe
DirectX10a.exe
Game Nude.exe
Hot Screen Saver.exe
HotBabe.exe
Model Asian.exe
Model VG.exe
V-Girl7.exe
JapaneseGirl.exe
-replacing exist MS Word documents with itself using the name:
<filename>.DOC.exe
where filename is the name of the replaced file.
When installed W32/Decoy-A copies itself to the <System>\I75-D2\dkernel.exe and creates the following files:
<Windows>\lExplorer.exe
<System>\I75-D2\d2.mix
<System>\I75-D2\inz.d
The following registry entry are set to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dKernel
<System>\I75-D2\dkernel.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lExplorer.exe
<Windows>\lExplorer.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.ex lExplorer.exe
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup)
W32/Decoy-A also modifies the system.ini file making sure lExplorer.exe is executed at reboot.
|
