high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 30 June 2008 19:18:17 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Malas-F is a worm for the Windows platform.
When first run W32/Malas-F copies itself to:
<Startup>\AdobeUpdate.exe
<Temp>\svchost.exe
<User>\userinit.exe
<Common Files>\Microsoft Shared\MSshare.exe
<Program Files>\XPCode\SexGame.exe
<Program Files>\XPCode\SexGameList.pif
<Program Files>\XPCode\SexScreenSaver.scr
<Root>\autoply.exe
<Windows>\Web\OfficeUpdate.exe
and creates the following files:
<Root>\Autorun.inf
<User>\Application Data\Microsoft\Crypto\rsa\s-1-5-18\d42cc0c3858a58db2db37658219e6400_b51db6e2-3a90-48f4-b2a9-edf389bedc4b
<Startup>\Office Update.lnk
<Program Files>\XPCode\Games.lnk
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\Microsoft\Protect\s-1-5-18\User\Preferred
<System>\Microsoft\Protect\s-1-5-18\User\cb79b07c-49ed-4f3b-a608-b5231418c3c8
The file Autorun.inf is detected as W32/Malas-A.
The following registry entry is created to run userinit.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMax
<User>\userinit.exe
The following registry entries are set, disabling system software:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Nofolderoptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
2
|
