high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 July 2007 07:15:49 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Punya-B is a worm for the Windows platform.
The worm has the functionality to spread via network shares and removable storage.
When run, the worm copies itself to:
\evanta44.cuex44
\Punya Administrator.exe
\WINDOWS.exe
\dago\baru.exe
\Documents and Settings\<user>Nitip.exe
\Documents and Settings\<user>\Desktop\punya.exe
<AppData>\WINDOWS\CSRSS.EXE
<AppData>\WINDOWS\LSASS.EXE
<AppData>\WINDOWS\SERVICES.EXE
<AppData>\WINDOWS\SMSS.EXE
<AppData>\WINDOWS\WINLOGON.EXE
<Startup>\adobe.com
<Windows>\debug.cmd
<Windows>\evanta44.scr
<Windows>\fad.bin
<Windows>\Dago\CueX44.exe
<Windows>\Dago\Dago.exe
<Windows>\Firewall\Firewall.com
<Windows>\Media\Windows.cmd
<System>\oledb32.exe
<System>\server.exe
<System>\system.dll
<System>\config\systemprofile\Local Settings\Application Data\fault.exe
<System>\config\systemprofile\Local Settings\Application Data\Micro.exe
<System>\config\systemprofile\Local Settings\Application Data\tic.exe
<System>\config\systemprofile\Local Settings\Application Data\Word.exe
<User>\.exe
The following files are created:
\dasar cewek.htm
<System>\Oeminfo.ini
<Windows>\sys.bat
These files are detected as W32/Punya-B.
The following registry entries are created:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ServicesAdministrator
C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SQL
<System>\server.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
User
<User>\.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Winlogon
C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Administrator di Dago
<Windows>\Dago\Dago.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Csrss
C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CueX44
<Windows>\Dago\Dago.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lsass
C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\LSASS.EXE
$NAME changes settings for Microsoft Internet Explorer, including the Start Page, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\\config\systemprofile\Local Settings\Application Data\tic.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\\Media\Windows.cmd
|
