Home / malware Worm:Win32/Roopirs.A
First posted on 29 October 2010.
Source: SecurityHomeAliases :
Worm:Win32/Roopirs.A is also known as W32/VBTrojan.17E!Maximus (Authentium (Comman, TR/Swisyn.C (Avira), Backdoor.Agent.1 (BitDefender), Win32/Swisyn.T (CA), Win32/VB.NUV (ESET), Trojan.Win32.Swisyn.ubp (Kaspersky), Swisyn.e (McAfee), Mal/VB-F (Sophos), W32.SillyFDC (Symantec), TROJ_SWISYN.AJ (Trend Micro), Trojan.Swisyn.VJS (VirusBuster).
Explanation :
Worm:Win32/Roopirs.A is a worm that copies itself to mapped network drives and assumes the icon of a Windows folder to increase its chance of user execution.
Top
Worm:Win32/Roopirs.A is a worm that copies itself to mapped network drives and assumes the icon of a Windows folder to increase its chance of user execution. InstallationWhen run, the worm drops a copy of itself as the following file name: %windir%\winlogon.exe The registry is modified to run the worm copy at each Windows start. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "winlogon.exe"To data: "%windir%\winlogon.exe" Spreads via€¦ Mapped network drivesThe worm attempts to copy itself to mapped network drives as the following:<drive:>\.exe <drive:>\winlogon.exe <drive:>\subst\subst.exe Additional informationThe worm has the following file attributes that contribute to its detected name:Product Name: poorvirus
Analysis by Jaime WongLast update 29 October 2010