high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2005 (3.90) |
| Protection available since | 9 December 2004 05:01:16 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Anig-C.
More Information
W32/Anig-C is a worm that can spread by copying itself over network shares.
W32/Anig-C can also be used to steal passwords.
W32/Anig-C attempts to spread by copying itself to the share ADMIN$ on remote computers.
W32/Anig-C may drop a DLL file with keylogging functionality called GinaDLL.DLL and open port 5190 in order to receive remote commands. W32/Anig-C is a worm that can spread by copying itself over network shares.
W32/Anig-C can also be used to steal passwords.
W32/Anig-C copies itself to <Windows>\System32 using its original filename and creates the following registry entry in order to run on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Osa32
W32/Anig-C attempts to spread by copying itself to the share ADMIN$ on remote computers.
W32/Anig-C may drop a DLL file with keylogging functionality called GinaDLL.DLL and open port 5190 in order to receive remote commands.
On NT based versions of Windows, W32/Anig-C registers itself as a service called <filename> with the display name Distributed File Controller. The new service has a Startup type of automatic so that the service is started automatically each time a new Windows session is started. New registry entries are created beneath the following registry entry:
HKLM\System\CurrentControlSet\Services\dfcsvc
W32/Anig-C may also create the following registry entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDll
ntgina.dll
|
