high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2007 (4.21) |
| Protection available since | 21 July 2007 00:00:49 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/SlliyFD-G is a worm for the Windows platform.
W32/SillyFD-G includes functionality to access the internet and communicate with a remote server via HTTP.
When first run, W32/SillyFD-G copies itself to:
<Root>\auto.exe
<System>\DBB6ED81.EXE
and creates the following files:
<Root>\autorun.inf
<System>\8FB6C040.DLL (also detected as W32/SillyFD-G)
The file DBB6ED81.EXE is registered as a new system driver service named "79F5137E", with a display name of "79F5137E" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\79F5137E\
The following registry entry may be created:
HKLM\SOFTWARE\Microsoft\Windows NT
ReportBootOK
1
W32/SillyFD-G deletes registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\
W32/SillyFD-G attempts to periodically copy itself to removeable drives, including floppy drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the same location. The file Autorun.inf is designed to start the worm once the removeable drive is connected to a uninfected computer.
|
