W32/SillyFD-AA

Aliases	Worm.Win32.VB.fw W32/Sillyworm.WR W32/Archiles.worm WORM_VB.CNG
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Removable storage devices
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	June 2007 (4.18)
Protection available since	3 May 2007 06:07:24 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/SillyFD-AA is a worm for the Windows platform.

Once installed W32/SillyFD-AA spreads through removable storage devices, including floppy drives and USB keys. The worm attempts to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive with the hidden filename <Root>\handydriver.exe.

The file <Root>\Autorun.inf is designed to start the worm once the removable drive is connected to a uninfected computer.

W32/SillyFD-AA copies itself to the following locations:
<Root>\kerneldrive.exe
<Windows>\regedit.exe
<Windows>\pchealth\helpctr\Binaries\msconfig.exe
<System>\systeminit.exe
<System>\wininit.exe
<System>\winsystem.exe
<System>\cmd.exe
<System>\taskmgr.exe

W32/SillyFD-AA also creates the following file <Root>\autorun.inf.

The following registry entries are set to run W32/SillyFD-AA to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\systeminit.exe,

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wininit
<System>\wininit.exe

The following registry entries are also set:

HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Hacked by 1BYTE

HKCU\Software\Microsoft
ServicePack
1.2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchSystemDirs
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft
nFlag
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
1

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/SillyFD-AA

Summary

Action

More Information