Home / malware Worm:Win32/Fakerecy.B
First posted on 22 May 2012.
Source: MicrosoftAliases :
Worm:Win32/Fakerecy.B is also known as Win-Trojan/Recycled.20480 (AhnLab), Trojan.Win32.VB.aqt (Kaspersky), W32/VBTroj.CZS (Norman), Trojan.VB.EYCX (VirusBuster), Worm/VB.DYC (AVG), TR/VB.aqt.6 (Avira), Trojan.Recycle.D (BitDefender), Trojan.Recycle (Dr.Web), Win32/VB.AQT trojan (ESET), Trojan.Win32.VB (Ikarus), FakeRecycled (McAfee), W32.Fakerecy (Symantec), WORM_VB.SMF (Trend Micro).
Explanation :
Worm:Win32/Fakerecy.B is a worm that spreads via logical drives.
Installation
Worm:Win32/Fakerecy.B creates the following files in the system drive (which is usually C:):
- autorun.inf - detected as Worm:INF/Autorun.B
- Recycled\desktop.ini
- Recycled\INFO2
- Recycled\ctfmon.exe - copy of itself
- <startup folder>\ctfmon.exe
Note - <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and Windows 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Note that its copy in the startup folder automatically runs when Windows starts.
Spreads via...
Logical drives
Worm:Win32/Fakerecy.B spreads to other computers by looking for accessible mapped drives (D: down to Z:). If it finds a drive, it creates the following files, similar to the ones that it drops in the system drive:
- autorun.inf - detected as Worm:INF/Autorun.B
- Recycled\desktop.ini
- Recycled\INFO2
- Recycled\ctfmon.exe - copy of itself
The "autorun.inf" file ensures that Worm:Win32/Fakerecy.B automatically runs when drives in which Autorun is enabled are accessed.
Analysis by Jaime Wong
Last update 22 May 2012
