28 June 2007 14:23 GMT
Turkish Delight
Today SophosLabs received a new worm from the field which was quite similar to the W32/SillyFD family, but different enough to make it a new family. Detection has been added as W32/Amca-A.
The worm is written in VisualBasic by some Turkish hackers. The name is coming from a reference in the code saying “Paylasim Acma(C,D).exe“.
It has several components packed into a WinRar SFX. Besides installing itself into the system32 folder, it creates two simple command files <System>\acd.cmd and <System>\acd2.cmd which are used to share the drives of the infected machines. These files contain a simple command:
net share PATRON1=d:\ /unlimited /remark:"RockStar"
Also, similarly to the SillyFD worms, it spreads to USB drives, creating 2 hidden files there: activexdebugger32.exe and Autorun.inf. This latter one is used to autorun the exe when the drive is connected to a new machine.
Laszlo Tamas, SophosLabs UK
