Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm may be downloaded from remote sites by other malware. It may also arrive bundled with malware packages as a malware component.
It may be dropped by the following malware:
It may also arrive via removable drives, network shares, or through a vulnerability.
It drops copies of itself. This technique prevents dropping of several copies of itself on already affected systems. It also locks its dropped copy to prevent users from reading, writing, and deleting it.
It registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating registry keys/entries.
This worm takes advantage of a vulnerability discovered in the Server service used by certain Microsoft operating systems that could allow remote code execution. More information on the said vulnerability can be found in the following link:
It drops a copy of itself in all available removable and network drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
It creates mutex(es) to ensure that only one instance of itself is running in memory.
It attempts to connect to several URLs to download files. The download URLs are updated and changed every day. A list of the URLs that it connects to can be found in this Trend Micro page.
For additional information about this threat, see:
Solution
Technical Details
Description created: Dec. 30, 2008 1:39:35 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
