high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | November 2007 (4.23) |
| Protection available since | 10 October 2007 02:39:32 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/SillyFDC-BA is a worm for the Windows platform.
When run W32/SillyFDC-BA copies itself to <System>\avpo.exe and creates the following files:
<Temp>\cda4h.dll
<System>\avpo0.dll
<System>\avpo1.dll
These 3 files are also detected as W32/SillyFDC-BA.
The following registry entry is set to run the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
avpa
<System>\avpo.exe
W32/SillyFDC-BA also registers itself as a service with a random name to run automatically on system logon.
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
W32/SillyFDC-BA spreads via removable shared drives by copying itself to the shared drive as <Root>\ntde1ect.com. W32/SillyFDC-BA then creates the file <Root>\autorun.inf (also detected as W32/SillyFDC-BA) on that drive to allow the worm to run when the removable shared drive is connected to an uninfected computer.
|
