high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | April 2008 (4.28) |
| Protection available since | 19 February 2008 03:46:15 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Pasalavoz-A is a worm for the Windows platform.
W32/Pasalavoz-A spreads via removable media.
W32/Pasalavoz-A spreads via removable media.
When first run W32/Pasalavoz-A creates the following files in removable drives:
System\System25.exe - detected as W32/Pasalavoz-A
System\System26.exe - detected as W32/Pasalavoz-A
System\System20.exe - can be safely deleted
System\System21.exe - can be safely deleted
System\System22.exe - can be safely deleted
System\System23.exe - can be safely deleted
System\System24.exe - can be safely deleted
Pasalavoz.exe - can be safely deleted
Pasalavoz2.exe - can be safely deleted
Pasalavoz2\ - can be safely deleted
and creates a series of files in:
<Root>\cppsesys.exe - can be safely deleted
<Root>\fetnoxsys.exe - can be safely deleted
<Root>\mkdirxsys.exe - can be safely deleted
<Root>\norj45sys.exe - can be safely deleted
<Root>\sendrihsys.exe - can be safely deleted
W32/Pasalavoz-A creates the following runkeys to start itself:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
smss
<Current>\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cppsesys
<Root>\cppsesys.exe
and creates the following CLSIDs:
HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKCR\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
HKCR\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
HKCR\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
HKCR\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
HKCR\CLSID\{CE376CC1-A1A5-46E6-B644-AE04EE1B013C}
|
