high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2008 (4.33) |
| Protection available since | 12 May 2008 23:51:43 (GMT) |
| Last updated | 6 August 2008 22:37:20 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Niya-C is a worm for the Windows platform.
W32/Niya-C includes functionality to access the internet and communicate with a remote server via HTTP.
W32/Niya-C spreads by copying itself to removable media.
When first run W32/Niya-C copies itself to:
<User>\cftmon.exe
<System>\drivers\spools.exe
and creates the following files:
<User>\ftp34.dll
<System>\ftp34.dll
These files are detected as W32/Niya-C.
The worm will copy itself to removable media as autorun.exe and create the file autorun.inf.
The following registry entries are created to run cftmon.exe and spools.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ntuser
<System>\drivers\spools.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
autoload
<User>\cftmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ntuser
<System>\drivers\spools.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
autoload
<User>\cftmon.exe
The worm may also delete other registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The following registry entry is set or modified, so that cftmon.exe is run when files with extensions of EXE are opened/launched:
HKCR\exefile\shell\open\command
(default)
<User>\cftmon.exe "%1" %*
The file spools.exe is registered as a service named "Schedule" (replacing any existing services named "Schedule"). Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\Schedule
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UIHost
logonui.exe
|
