Home / malware

PDF

Win32.Worm.VB.NPM

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.VB.NPM.

Explanation :

When executed it shows a explorer window of an empty directory.
The malware creates on all drives the following files :
[DRIVE]:autorun.inf
[DRIVE]:Recycleddesktop.ini
[DRIVE]:RecycledINFO.exe

and sets the autorun.inf file to execute itself each time the drive is accessed.

shellopenCommand=RECYCLEDINFO.exe
shellopenDefault=1
shellexploreCommand=RECYCLEDINFO.exe

It drops
* %WINDOWS%ConfigSvchost.exe which is a copy of itself;
* %WINDOWS%ConfigSystem.exe
* %WINDOWS%System.exe .

The last two files are created for the folder window proprieties.

It modifies the following registry keys
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
(initiates malware programs when the system boots.),
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystem
and sets these values
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHideFileExtValueName
( " HideFileExt ")
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHiddenValueName
(" ShowSuperHidden ").

Last update 21 November 2011

 

TOP