high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | May 2008 (4.29) |
| Protection available since | 31 March 2008 20:22:32 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Xorer-C is a worm for the Windows platform.
W32/Xorer-C includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Xorer-C creates the following files:
<Root>\AUTORUN.INF - detected as W32/Xorer-A
<Root>\pagefile.pif - detected as W32/Xorer-C
<System>\14141.log - detected as W32/Xorer-C
<System>\dnsq.dll - Mal/Emogen-Y
<System>\Com\lsass.exe - detected as W32/Xorer-C
<System>\Com\netcfg.000 - detected as W32/Xorer-C
<System>\Com\netcfg.dll - detected as W32/Xorer-C
<System>\Com\smss.exe - detected as W32/Xorer-B
W32/Xorer-C creates a COM object for the file netcfg.dll, creating registry entries under:
HKCR\CLSID\{450EC9C4-0F7F-B084-D1147FE9DDCC}
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Type
radio
W32/Xorer-C attempts to spread to removable media drives by copying AUTORUN.INF and pagefile.pif to the root folder of inserted drives.
|
