high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2008 (4.26) |
| Protection available since | 4 December 2007 06:11:17 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/SillyFDC-BN is a worm for the Windows platform.
W32/SillyFDC-BN includes functionality to access the internet and communicate with a remote server via HTTP.
W32/SillyFDC-BN spreads via removable shared drives by copying itself to <Root>\RECYCLER\RECYCLER\autorun.exe and creating the file <Root>\autorun.inf. The file <Root>\autorun.inf is also detected as W32/SillyFDC-BG and is designed to run the worm when the removable drive is connected to an uninfected computer.
When first run W32/SillyFDC-BN copies itself to <Windows>\msmsgs.exe and creates the following files:
<Common Files>\Microsoft Shared\MSInfo\zrpacinr.dll
<Common Files>\Microsoft Shared\MSInfo\zrpacinr.drv
<Common Files>\Microsoft Shared\MSInfo\zrpacinr.sys
<Windows>\Debug\passdb.log
<Windows>\Debug\sysdbg.dll
<Windows>\Debug\sysdeb.ini
The file zrpacinr.dll is detected as Mal/Behav-010, the file zrpacinr.dv is detected as Troj/PcClien-KR and the file zrpacinr.sys is detected as Troj/RKProc-H. The files passdb.log, sysdbg.dll and sysdeb.ini are not malicious and may be deleted.
The following registry entry is created to run W32/SillyFDC-BN on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Messenger
<Windows>\msmsgs.exe
The file zrpacinr.sys is registered as a new system driver service named "zrpacinr", with a display name of "zrpacinr" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\zrpacinr
|
