Home / malware Worm:Win32/SillyShareCopy.E
First posted on 01 May 2019.
Source: MicrosoftAliases :
Worm:Win32/SillyShareCopy.E is also known as Win32/Dodaykil.B, W32/Baysur-B, Virus.Win32.VB.dg, W32/Pitin.worm, W32.SillyFDC, WORM_VB.DTH.
Explanation :
Worm:Win32/SillyShareCopy.E is a worm that propagates by dropping several copies of itself to all drives found in the system. InstallationWorm:Win32/SillyShareCopy.E creates the following additional files in the system: %Start Menu%ProgramsStartupAdobe Online.com - copy of itself %Start Menu%ProgramsStartupAdobe update.com - copy of itself %windir%Thumbs .db - component file
Autoexec.bat - batch file that displays the following message: where is the directory where the malware was executed. It also drops several copies of itself in the root folder based on folder names found on the drive using the following format: .scr For example: C:Program Files .scr
C:Documents and Settings .scr Worm:Win32/SillyShareCopy.E also uses a folder icon and launches explorer when it is double-clicked. This action aims to fool users into thinking that the executed file is a real folder. To do this, SillyShareCopy.E changes the following registry entries: Modifies value: "@"
From data: "Screen Saver"
To data: "File Folder"
To subkey: HKLMSOFTWAREClassesscrfile Modifies value: "@"
From data: ""%1" /S"
To data: "%1"
To subkey: HKLMSOFTWAREClassesscrfileshellopencommand Spreads Via... Logical DrivesUpon execution, Worm:Win32/SillyShareCopy.E drops the following hidden files in all drives from C: to Z: Thumbs.com - copy of itself Thumbs .db - component file Autorun.inf - autorun configuration file The autorun configuration file enables this worm to automatically execute if the drive is opened. Payload Modifies System SettingsWorm:Win32/SillyShareCopy.E modifies the system registry so that hidden files cannot be viewed by the user: Adds value: "CheckedValue"
With data: "0"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWAL Adds value: "UncheckedValue"
With data: "1"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHideFileExt It also adds the following registry keys: HKLMSOFTWAREClassesscrfileInfoTip
HKLMSOFTWAREClassesscrfileNeverShowExt
HKLMSOFTWAREClassesscrfileTileInfo Displays MessageWorm:Win32/SillyShareCopy.E displays the following message when the user logs on:
It does this by adding the following registry entries: Adds value: "LegalNoticeCaption"
To data: "81u3f4nt45y - 24.01.2007 - Surabaya"
Adds value: "LegalNoticeText"
To data: "Surabaya in my birthday
Don't kill me, i'm just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Analysis by Elda DimakilingLast update 01 May 2019