high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2008 (4.30) |
| Protection available since | 17 April 2008 05:56:48 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Xorer-D is a worm for the Windows platform.
W32/Xorer-D includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Xorer-D creates the following files:
<Root>\AUTORUN.INF - detected as W32/Xorer-A
<Root>\pagefile.pif - detected as W32/Xorer-D
<Root>\<random nubmer>.log - detected as W32/Xorer-D
<System>\<random nubmer>.log - detected as W32/Xorer-D
<System>\dnsq.dll - Mal/Emogen-Y
<System>\Com\lsass.exe - detected as W32/Xorer-D
<System>\Com\netcfg.000 - detected as W32/Xorer-C
<System>\Com\netcfg.dll - detected as W32/Xorer-C
<System>\Com\smss.exe - detected as W32/Xorer-B
W32/Xorer-D creates a COM object for the file netcfg.dll, creating registry entries under:
HKCR\CLSID\{450EC9C4-0F7F-B084-D1147FE9DDCC}
The file NetApi000.sys is registered as a new system driver service named "NetApi000", with a display name of "NetApi000". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NetApi000
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Type
radio
W32/Xorer-D attempts to spread to removable media drives by copying AUTORUN.INF and pagefile.pif to the root folder of inserted drives.
|
