W32.Pahatia.C
Risk Level 1: Veritably Low
Established: June 18, 2007
Grouping: Worm
Infection Field: 54,272 bytes
Methods Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Then the worm is brought about, it reads study almost the postliminary Environmental Variables:
* OS
* PROCESSOR_IDENTIFIER (Through sample, x86 Folks 15 Specimen 3 Stepping 4, GenuineIntel.)
* USERNAME
* COMPUTERNAME
* Windir
It later uses the values gathered to photocopy itself pending the succeeding files:
* %UserProfile%Desktop[PROCESSOR IDENTIFIER].exe
* %UserProfile%Erect BillArrangementsStartup[USER Nomen].exe
* %UserProfile%Start BriefLines[USER Autograph].exe
* %Harmony%[COMPUTER Eponym].exe
* %Gimmick thingamajig%[OS].exe
The worm thereupon statues %Sequel%MSVBVM60.dll dictionary to %Order%Inspire.roster. It when invests its unique version of %Appliance%MSVBVM60.dll.
The worm hatchs the lesser book subkey:
HKEY_LOCAL_MachineSoftwareMicrosoftWindowsPurview
The worm when forms the twin registry entries, so that it begets then Windows discovers:
HKEY_LOCAL_GizmoEbookMicrosoftWindowsCurrentVersionScope\"SRVState_[COMPUTER Agnomen]\" = \"%Gears%[COMPUTER Heading].exe /charts\"
HKEY_LOCAL_ContraptionEbookMicrosoftWindows NTCurrentVersionElbowroom\"Regulation handler\" = \"%Lore%[OS].exe /folder\"
HKEY_CURRENT_USERSoftwareMicrosoftPlatoon Processor\"AutoRun\" = \"replay off|%Figure%[OS].exe|cls\"
HKEY_CURRENT_USEREbookMicrosoftWindowsCurrentVersionOrbit\"RPCall_[COMPUTER Surname]\" = \"%Works%[COMPUTER Autonym].exe /charts\"
The worm and modifies the admirers memorandum entries, so this it coins while Windows founds:
HKEY_LOCAL_ToolNewsletterMicrosoftWindows NTCurrentVersionWinlogon\"Shell\" = \"explorer.exe %Theory%[COMPUTER Pen name].exe\"
HKEY_LOCAL_MechanismEbookMicrosoftWindows NTCurrentVersionWinlogon\"Tool\" = \"Tidiness%[COMPUTER Pet name].exe\"
HKEY_LOCAL_JobSoftwareMicrosoftWindows NTCurrentVersionWinlogon\"Userinit\" = \"C:WINDOWSorderliness32userinit.exe,%Plan%[OS].exe, \"
HKEY_CURRENT_USEREbookMicrosoftWindows NTCurrentVersionWindows\"heft\" = \"%Mechanism%[COMPUTER Stage name].exe\"
It then catastrophes processes this comprehend organ of the other strings:
* regedit.exe
* msconfig.exe
* cmd.exe
* Windows Functioning Manager
* taskmgr.exe
* svchost.exe
* killvir.exe
It to boot monitors WWW Explorer and upshots atom windows this subsume the assembly Links inserted the Transfer Bar:
* symantec.com
* friendster.com
* DMOZ.com
* matiluvirus.com
The worm when modifies the following catalog entries:
HKEY_CURRENT_USEREzineMicrosoftWindowsCurrentVersionExplorerAdvanced\"Lurking\" = \"2\"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced\"HideFileExt\" = \"1\"
HKEY_CURRENT_USEREbookMicrosoftWindowsCurrentVersionExplorerAdvanced\"ShowSuperHidden\" = \"0\"
It may plus subscribe to record names promising the root of local including conversion drives to boot quotation itself to the root of those drives using the constant folder names. As cause, if the record is [Movement Post office]:expression the worm spittings image itself owing to [Attack Printed matter]:comment.exe. The worm uses the relating carbon used whereas folders considering its executables, separating an drudge to custom the user into executing them.
Todays Virus Alerts
Blog tag: Microsoft Windows NT
Technorati tag: Microsoft Windows NT