high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | March 2008 (4.27) |
| Protection available since | 20 January 2007 04:48:50 (GMT) |
| Last updated | 14 January 2008 04:50:41 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W32/Brontok-CJ is a worm for the Windows platform.
When first run W32/Brontok-CJ copies itself to:
\aut0exec.bat
<Windows>\System32.exe
<System>\dllcache\Regedit32.com
<System>\dllcache\Shell32.com
<System>\dllchache.exe
<System>\dllchache\Blank.doc
<System>\dllchache\Empty.jpg
<System>\dllchache\Hole.zip
<System>\dllchache\Unoccupied.reg
<System>\dllchache\Zero.txt
<System>\m5vbvm60.exe
<System>\rund1132.exe
and creates the file \(Read Me)Pendekar Blank.txt.
The following registry entries are created to run aut0exec.bat, Regedit32.com and Shell32.com on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Secure64
<System>\dllcache\Regedit32.com StartUp
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Secure32
<System>\dllcache\Shell32.com StartUp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Blank AntiViri
C:\AUT0EXEC.BAT StartUp
The following registry entry is changed to run m5vbvm60.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe, "<System>\M5VBVM60.EXE StartUp"
The following registry entries are set or modified, so that rund1132.exe is run when files with extensions of COM and TXT are opened/launched:
HKCR\comfile\shell\open\command
(default)
<System>\rund1132.exe %1
HKCR\txtfile\shell\open\command
(default)
<System>\rund1132.exe %1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
|
