high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 4 June 2008 18:43:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Romario-B is a worm for the Windows platform.
When first run W32/Romario-B copies itself to:
<User>\Documents\Bola Pantul.exe
<User>\Documents\FreeCard.exe
<User>\Documents\MyHearts.exe
<User>\Application Data\Alisa.exe
<User>\Application Data\Emma.exe
<User>\My Documents\Mario Bross.exe
<User>\My Documents\Minesweeper.exe
<User>\My Documents\Solitaire Card.exe
<Root>\Mario.exe
<Root>\explorer.exe
<Root>\game\Bola.exe
<Root>\game\Crazy Mouse.exe
<Root>\game\Dark Screen.exe
<Root>\game\Goncang.exe
<Root>\game\Kartu.exe
<Root>\game\Kelap Kelip.exe
<Root>\game\Layar Jatuh.exe
<Root>\game\Legend.exe
<Root>\game\Minesweeper.exe
<Root>\game\My Heart.exe
<Root>\game\Pink Panther.exe
<Root>\game\Smart.exe
<Root>\game\Start Hide.exe
<Root>\game\Text Animation.exe
<Root>\game\XP Button.exe
<System>\PANGKALP1NANG.EXE
<System>\SMUNSA_PKP_GAME.EXE
<Windows>\winlogon.exe
and creates the following files:
<User>\Application Data\Aliciana.htt
<User>\Application Data\Emira.ini
<Program Files>\mario.exe
The files Aliciana.htt and Emira.ini are detected as W32/Romario-A. Mario.exe appears to be a clean Mario game.
The following registry entries are created to run W32/Romario-B on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Mr_CoolFace_Game
<User>\Application Data\Emma.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SmansaApp
<Windows>\winlogon.exe
The following registry entries are changed to run W32/Romario-B on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<Root>\explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe, <Root>\explorer.exe
The following registry entries are set or modified, so that explorer.exe is run when files with extensions of BAT, COM, PIF and SCR are opened/launched:
HKCR\VBSFile\Shell\Open\Command
(default)
<Root>\explorer.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<Root>\explorer.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<Root>\explorer.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<Root>\explorer.exe" "%1" %*
HKCR\scrfile\shell\open\command
(default)
<Root>\explorer.exe" "%1" %*
The following registry entries are set, disabling system software:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer\Toolbar
BackBitmapShell
<Windows>\Web\Wallpaper\Bliss.bmp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue
0
Registry entries are created under:
HKCU\Identities\{D5A9171C-33E5-45AA-8DA6-0CA3468699C7}\Software\Microsoft\Outlook Express\5.0\Mail
HKCU\Software\Microsoft\MS Setup (ACME)\User Info
|
