Home / malwarePDF  

Win32.Auric.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Auric.A@mm is also known as I-Worm.Magold.a, (Kaspersky.

Explanation :

The worm sends itself by mail to all addresses in the Windows Address Book, as well as e-mail addresses parsed from *.ht* files from
victim's hard drive.
Message details:


From: EROTIKA.LAP.HU
Subject: Maya Gold-os kepernyokimelo!
Attachment: "Maya Gold.scr"
Body:

Tisztelt cim!
Az EROTIKA.LAP.HU nezettsegenek novelese erdekeben egy kis izelitot
kivan adni kinalatabol az Internet felhasznaloknak!
FIGYELEM: A 'Maya Gold.scr' nevu csatolt allomany egy kepernyovedo.
Mint a neve is mutatja Maya Gold pornoszinesznorol tartalmaz kulonbozo
kepeket.
Az allomanyt ajanlott elobb a lemezre menteni, majd utana futtatni.

Amennyiben valami problemaja, kerdese van, irjon a kovetkezo cimre:
erotika@lap.hu

Udvozlettel: EROTIKA.LAP.HU


After sending messages to all recipients, the worm sends another mail that contains information about victim's computer, to the virus coder:


From: EROTIKA.LAP.HU
To: rave-punk@freemail.hu
Subject: Maya Gold-os kepernyokimelo!
Body:

Szevasz haver!
Ez tokre bejott! Nesze a cucc:

Nev:

Winver:

Felkesz:

Megoszt:


PUNKS NOT DEAD


The recipients e-mail addresses are stored in: %SystemDir%
avec.txt
A fake error is displayed first time the worm is run, and after sending the mails, the worm creates many empty desktop files named raVe????, the color of windows is changed to red, and default associations for the ".exe", ".com", ".bat", ".scr", ".pif" are replaced targetting the worm executable - that is, when you start an executable, Windows will start the virus instead. From time to time, the following text is appended to current window title:
"=:-) OFFSPRING is co0L =:-) PUNK'S NOT DEAD =:-)"
The worm copies itself to "C:\%WINDIR%
aVeMaya Gold.scr "C:\%WINDIR%Maya Gold.scr" and to "C:\%WINDIR%
aVe.exe" and creates the registry keys so as to be run at startup:
Key: "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun"
Subkey: "raVe"
Value: "C:\%WINDIR%
aVe.exe"
Key: "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices"
Subkey: "raVe"
Value:"C:\%WINDIR%
aVe.exe"
Additional registry entries are created to keep track of virus activity:
Key:"HKEY_LOCAL_MACHINESoftware
aVe"
Subkeys:
Processes that contain the following strings are terminated: "AV", "NORT", "AFEE", "VIR", "ANTI".
The following extensions are associated to the virus executable:
".exe", ".scr", ".com", ".bat", ".pif".
A copy of the worm is put in the following Peer-To-Peer programs' directories:
LimeWire, Gnucleus, Shareaza, BearShare, Edonkey2000, Morpheus,
Grokster, ICQ/Shared Files, Kazaa.
Mirc and Pirch are also infected by replacing script.ini or events.ini if exist, with new ones, so that every time a user joins a channel, the victim will send him/her the virus by DCC.
If network mapped drives are found, the worm copies itself to them and creates autorun.inf files that would run it.
The worm attempts to update itself by FTP from ftp.fw.hu.

Last update 21 November 2011

 

TOP