Home / malware Worm:Win32/Esfury.D
First posted on 18 August 2010.
Source: SecurityHomeAliases :
Worm:Win32/Esfury.D is also known as W32/Agent.UWCW (Norman), Trojan.Injector.QIR (VirusBuster), Dropper.Generic2.AANE (AVG), TR/Click.Outtol.A (Avira), Trojan.Agent.VB.BMW (BitDefender), Win32/VBInject.D!generic (CA), Win32/Injector.CHN (ESET), Trojan.Click (Ikarus), Troj/DwnLdr-IHU (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), W32.Rontokbro@mm (Symantec).
Explanation :
Worm:Win32/Esfury.D is a worm that spreads to all removable drives. It also changes Internet Explorer's start page, as well as other system settings that might have an impact on the overall security of the computer. It also connects to certain websites.
Top
Worm:Win32/Esfury.D is a worm that spreads to all removable drives. It also changes Internet Explorer's start page, as well as other system settings that might have an impact on the overall security of the computer. It also connects to certain websites. Installation Worm:Win32/Esfury.D drops a copy of itself as the following:%HomePath%\<user name>1\winlogon.exe where <user name> is a user name defined in the computer. Note also that a legitimate file also named "winlogon.exe" exists by default in the Windows system folder. Spreads via... Removable drives Worm:Win32/Esfury.D may drop the following files in all removable drives:winlogon.exe - copy of itself autorun.inf - INF file that allows the worm copy to automatically run when the drive is accessed and Autorun is enabled Payload Connects to certain websites and injects code into processes Worm:Win32/Esfury.D may attempt to connect to the following websites:0-1-0-0-1-0-0-0-1-0-1-1-0-1-1-1-1-0-1-1-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info 3-x-5-3-7-h-p-g-r-y-7-g-b-3-8-9-8-4-l-j.cheaps1.info whos.amung.us It may also inject code into the following process:svchost.exe Modifies system settings Worm:Win32/Esfury.D may modify the following registry keys:Disables UAC notifications (User Access Controls): Adds value: "UACDisableNotify" With data: "1" In subkey: HKLM\SOFTWARE\Microsoft\Security CenterDisables LUA (Least User Access): Adds value: "EnableLUA" With data: "0" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisables System Restore: Adds value: "DisableSR" With data: "1" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestoreStops the System Restore service: Adds value: "Start" With data: "4" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srChanges the way hidden files are displayed in Windows Explorer: Adds value: "ShowSuperHidden" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Modifies Internet Explorer settings Worm:Win32/Esfury.D changes the start page of Internet Explorer by modifying the following registry entry: Modifies value: "Start Page" With data: "http://www.nuevaq.fm" In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Analysis by Andrei Florin SaygoLast update 18 August 2010