TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_SILLY.CQ
Overview
Solution

Malware type: Worm

Aliases: Trojan-Downloader.Win32.Delf.bny (Kaspersky), W32/Autorun.worm.b (McAfee), W32.SillyDC (Symantec), TR/Delphi.Downloader.Gen (Avira), Mal/Heuri-E (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via removable drives

Infection Channel 2 : Copies itself in all available physical drives

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_SILLY.CQ Behavior Diagram

Malware Overview

This worm arrives on a system as a component bundled with malware packages. It can also be downloaded by an unsuspecting user when visiting malicious Web sites.

It spreads by dropping copies of itself in all physical and removable drives. It also infects certain files by appending an invisible IFRAME code containing a link to a malicious site. The said infected files are detected by Trend Micro as HTML_SILLY.CQ.

It downloads several files, including the following grayware and malware:

  • ADW_BDSEARCH.HC
  • BKDR_AGENT.GUO
  • BKDR_DELF.GZL
  • DDOS_RINCUX.BG
  • TROJ_AGENT.XUH
  • TROJ_DELF.IHN
  • TROJ_DELF.IVK
  • TROJ_NSPAK.A
  • TROJ_TINY.FF
  • WORM_WINKO.AD

As a result, routines of related malware are also exhibited on the affected system.

Notably, this worm also installs Chinese Navigation 2.6.0.0, a popular search toolbar in China.

It terminates certain processes and deletes files with a certain extension name. Moreover, it changes the Internet Explorer start page by modifying the registry.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 3, 2007 1:14:32 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.