Home / malwarePDF  

Worm:Win32/Fakerecy.B


First posted on 22 May 2012.
Source: Microsoft

Aliases :

Worm:Win32/Fakerecy.B is also known as Win-Trojan/Recycled.20480 (AhnLab), Trojan.Win32.VB.aqt (Kaspersky), W32/VBTroj.CZS (Norman), Trojan.VB.EYCX (VirusBuster), Worm/VB.DYC (AVG), TR/VB.aqt.6 (Avira), Trojan.Recycle.D (BitDefender), Trojan.Recycle (Dr.Web), Win32/VB.AQT trojan (ESET), Trojan.Win32.VB (Ikarus), FakeRecycled (McAfee), W32.Fakerecy (Symantec), WORM_VB.SMF (Trend Micro).

Explanation :



Worm:Win32/Fakerecy.B is a worm that spreads via logical drives.



Installation

Worm:Win32/Fakerecy.B creates the following files in the system drive (which is usually C:):

  • autorun.inf - detected as Worm:INF/Autorun.B
  • Recycled\desktop.ini
  • Recycled\INFO2
  • Recycled\ctfmon.exe - copy of itself
  • <startup folder>\ctfmon.exe


Note - <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and Windows 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.

Note that its copy in the startup folder automatically runs when Windows starts.

Spreads via...

Logical drives

Worm:Win32/Fakerecy.B spreads to other computers by looking for accessible mapped drives (D: down to Z:). If it finds a drive, it creates the following files, similar to the ones that it drops in the system drive:

  • autorun.inf - detected as Worm:INF/Autorun.B
  • Recycled\desktop.ini
  • Recycled\INFO2
  • Recycled\ctfmon.exe - copy of itself


The "autorun.inf" file ensures that Worm:Win32/Fakerecy.B automatically runs when drives in which Autorun is enabled are accessed.



Analysis by Jaime Wong

Last update 22 May 2012

 

TOP