Home / malware W32.Dompie
First posted on 01 April 2015.
Source: SymantecAliases :
There are no other names known for W32.Dompie.
Explanation :
This worm spreads through removable drives.
Once executed, the worm creates the following files:
%SystemDrive%\WinShell\WinSeven.exe%SystemDrive%\WinShell\WinCon.dll%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinShell" = "%SystemDrive%\WinShell\WinSeven.exe"
The worm then copies itself to the following locations:
%DriveLetter%\BiBin.exe%DriveLetter%\[FOLDER NAME].exe
Note: [FOLDER NAME] is the name of the folder in which the worm copies itself to. The worm also uses the folder icon for the copies of itself named [FOLDER NAME].exe.Last update 01 April 2015
