high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | November 2006 (4.11) |
| Protection available since | 23 June 2005 21:47:04 (GMT) |
| Last updated | 5 October 2006 06:15:18 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please contact technical support.
More Information
W32/Wenper-B is a worm for the Windows platform.
W32/Wenper-B may attempt to copy itself to network shares.
When W32/Wenper-B is run, it create backups of itself at the following locations:
<Windows system folder>\crypto.dll
<Windows system folder>\lcss.exe
<Windows system folder>\net.cpl
<Windows system folder>\wlogon.dll
The following registry entries are created to run code exported by wlogon.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon
Impersonate
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon
Startup
EvWinLogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon
DLLName
wlogon.dll
The file lcss.exe is registered as a new system driver service named "Lcss" and with a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Lcss\
In particular, the following registry entry is created:
HKLM\SYSTEM\CurrentControlSet\Services\Lcss
ImagePath
<Windows system folder>\lcss.exe
The file crypto.dll is registered as a COM object and ShellExecute hook, creating registry entries under:
HKCR\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\
HKCR\WinCryptography.Encrypt\
HKCR\WinCryptography.Encrypt.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}
In particular, the following registry entry is created:
HKCR\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32
(default)
crypto.dll
|
