high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | August 2008 (4.32) |
| Protection available since | 6 February 2004 13:35:28 (GMT) |
| Last updated | 4 July 2008 15:45:52 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
Please read the instructions for removing W32/Anig-A.
More Information
W32/Anig-A is a worm that can spread by copying itself over network shares.
W32/Anig-A can also be used to steal passwords.
W32/Anig-A copies itself to <Windows>\System32 using its original filename and
creates the following registry entry in order to run on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Osa32
W32/Anig-A attempts to spread by copying itself to the share ADMIN$ on remote
machines.
W32/Anig-A may drop a DLL file with keylogging functionality called GinaDLL.DLL
and open port 5190 in order to receive remote commands.
W32/Anig-A registers itself as a service called Distributed File Controller
by creating the following registry entries:
HKLM\System\CurrentControlSet\Services\dfcsvc
DependOnGroup = ""
DependOnService = RpcSS
DisplayName = Distributed File Controller
Error Control = 0x0
ImagePath = <filename> /dfcsvc
ObjectName = LocalSystem
Start = 0x2
Type = 0x110
W32/Anig-A may also create the following registry entries:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDll = ntgina.dll
Ram32Data
Ram32ID
Ram32Group
|
