Home / malware Win32.Worm.Zindos.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Zindos.A is also known as Worm.Win32.Zindos.a;, Win32/Zindos.A.Trojan.
Explanation :
When ran, the worm creates the registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
with the value:
"Tray" = [worm exe file]
The worm uses the Backdoor.Mydoom.M to spread on port 1034. It sends itself to random IP addresses 10 times per second. The backdoor in the victim computer saves the worm in the temporary folder then executes it.
After 3 minutes the worm starts an attack to www.microsoft.com by repeatedly starting a thread that reads the site's start page and deleting the downloaded file 20 times per second. The repeat interval starts with 1 second and increases with 250 milliseconds every time. So after 5 only minutes, about 260 thousands of read attempts are made.
The worm file is usually found in the windows temporary folder, which may be one of the following:
%WINDIR%Temp
%Documents And Settings%\%Current User%Local SettingsTemp
and has a random file name and an EXE extension.Last update 21 November 2011