high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 6 July 2007 05:00:05 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Punya-A is a worm for the Windows platform.
When the W32/Punya-A is installed, it copies itself to the following locations:
\Punya Administrator.exe
\setup.bin
\dago\baru.exe
<Root>\Application Data\WINDOWS\CSRSS.EXE
<Root>\Application Data\WINDOWS\LSASS.EXE
<Root>\Application Data\WINDOWS\SERVICES.EXE
<Root>\Application Data\WINDOWS\SMSS.EXE
<Root>\Application Data\WINDOWS\WINLOGON.EXE
<System>\debug.cmd
<System>\evanta44.scr
<System>\fad.bin
<System>\fault.exe
<System>\Micro.exe
<System>\system.dll
<System>\tic.exe
<System>\Word.exe
The following files are created:
\loh.htm
\dago\Folder.htt
<Windows>\sys.bat
The following registry entries are created to run W32/Punya-A on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AutoAdministrator
<Root>\Application Data\WINDOWS\SERVICES.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CueX44_stil_here
<Root>\Application Data\WINDOWS\WINLOGON.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dago
<System>\fault.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Task
<Root>\Application Data\WINDOWS\LSASS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinUpdateAdministrator
<Root>\Application Data\WINDOWS\CSRSS.EXE
The following registry entries are changed to run evanta44.scr and Word.exe on startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\evanta44.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\Word.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entries are set or modified, so that Micro.exe is run when files with extensions of BAT, COM and PIF are opened/launched:
HKCR\lnkfile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
HKCR\batfile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
HKCR\comfile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
HKCR\piffile\shell\open\command
(Default)
<System>\Micro.exe" "%1" %*
W32/Punya-A changes settings for Microsoft Internet Explorer, including the Start Page, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\debug.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
|
