Malware type: File infector

Aliases: Worm.Win32.AutoRun.dla (Kaspersky), W32.SillyDC (Symantec), Worm/Otwycal.I (Avira), Mal/Behav-010 (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

This file infector may be downloaded from certain remote sites. It may be installed manually by a user. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops copies of itself.

It creates registry entries to enable its automatic execution at every system startup. It creates registry key(s)/entry(ies) as part of its installation routine.

It infects by appending its code to target host files. It infects specific files. Trend Micro detects infected files as PE_CAOLYWA.E. It searches the network for certain shares, into which it attempts to drop copies of itself.

It drops copies of itself in all physical and removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

It accesses Web sites to download a file. The said file contains links where the following malicious files can be downloaded from:

• TSPY_ONLINEG.PQI
• TSPY_ONLINEG.TGV
• TROJ_DLOADER.LXX
• TROJ_SMALL.GIX

It saves the downloaded files using certain file names. As a result, malicious routines of the downloaded spyware and Trojan are exhibited on the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 16, 2008 12:06:11 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.