high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2008 (4.26) |
| Protection available since | 18 December 2007 12:14:34 (GMT) |
| Last updated | 18 December 2007 18:48:08 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/VBLame-G is a worm for the Windows platform.
When first run W32/VBLame-G copies itself to:
<Windows>\Fonts\Verdana.dll
<Windows>\Web\GnSalak.exe
<System>\himem32.sys
<Windows>\Help\Help.exe
and creates the files:
<Temp>\Bogor.vbs
<Windows>\config.ini
<Windows>\dayeuh.txt
<Windows>\system.exe
<Windows>\system.txt
<System>\wuapi32.dll
Each of these files are also detected as W32\VBLame-G.
The following harmless files are created:
<Root>\bkbZSOxr.txt
<Windows>\kujang.jpg
<System>\deskjet.dll
<System>\printer.dll
<System>\wtask.dll
<Root>\zdxjivox.txt
W32\VBLame-G will copy itself to the root of various drives using the name "Tunggul.vbs".
The following registry entries are changed to run system.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\system.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\system.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pantun Pa Cilong <Windows>\dayeuh.exe
W32\VBLame-G changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main
Registry entries are set as follows:
HKCU\Control Panel\Desktop
Wallpaper
<Windows>\kujang.jpg
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
"cmd.exe <Windows>\system.exe"
Registry entries are created under:
HKCR\Drive\shell\eeinA
HKCR\Drive\shell\luggnuT
HKCR\Drive\shell\ynnaH
|
