Worm.Win32.AutoRun.mwc

[Malekal_morte]

Message de propagation :

you need to see this picture of me its really REALLY good!
do you like when I take these kinda pics? they are so much fun and nauty
love the way u dress in this picture, you remember this?
I have this old pic of you, u look so much different than now
I wont drink again omg look at this pic :(

L'infection ajoute la ligne suivante sur HijackThis :

O4 - HKCU\..\Run: [Symantec Licensing Server] = "symlserv.exe"

NOTE : le malware supprime le menu "options des dossiers" et enlève la visibilité des fichiers cachés.
L'utilisateur ne peux remettre réactiver l'option.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun"
Type: REG_DWORD
Data: 01, 00, 00, 00

Fichier 0x001.exe reçu le 2008.09.08 11:20:07 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 5/36 (13.89%)

Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.9.6.0 2008.09.08 -
AntiVir 7.8.1.28 2008.09.08 -
Authentium 5.1.0.4 2008.09.07 -
Avast 4.8.1195.0 2008.09.07 -
AVG 8.0.0.161 2008.09.07 -
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.07 -
DrWeb 4.44.0.09170 2008.09.08 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6072 2008.09.05 Win32/Slenfbot!generic
Ewido 4.0 2008.09.07 -
F-Prot 4.4.4.56 2008.09.07 -
F-Secure 8.0.14332.0 2008.09.08 -
Fortinet 3.112.0.0 2008.09.08 -
GData 19 2008.09.08 -
Ikarus T3.1.1.34.0 2008.09.08 VirTool.Win32.DelfInject.AF
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.08 -
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.08 VirTool:Win32/Injector.gen!D
NOD32v2 3424 2008.09.07 a variant of Win32/Injector.CR
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.07 -
Prevx1 V2 2008.09.08 Suspicious
Rising 20.61.02.00 2008.09.08 -
Sophos 4.33.0 2008.09.08 -
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.08 -
VBA32 3.12.8.5 2008.09.07 -
ViRobot 2008.9.8.1366 2008.09.08 -
VirusBuster 4.5.11.0 2008.09.07 -
Webwasher-Gateway 6.6.2 2008.09.08 -
Information additionnelle
File size: 61440 bytes
MD5...: eec597922a691ee35de1bdcc5abadac5
SHA1..: 23d9f93cbdcc5488df5dc201f39177bb34b77505

[Malekal_morte]

Variante, avec comme message de propagation :

do you care if I upload this pic to my new profile?
have you seen this last pic I created in photoshop?
I just found this awesome wallpaper, I think its PERFECT for you!!
You missed out the party! It was pretty intense, take a look!
can I put this picture of you on my new blog?
hey have u seen the party pictures from last weekend? ufff!
I think this is the definition of sexyness!! What do you think?
Have you ever seen me when I was a kid? This pic is a little embarassing, but funny.
do you mind if I throw this picture of you on my new blog?
Did you know I'm taking adobe photo classes? This is my newest project
can I upload this picture of you onto my newest album?
This is just pure insanity. My god, look at the nonsense on this guys shirt haha!

Fichier x002.exe reçu le 2008.09.09 07:58:18 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 8/36 (22.23%)


Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.9.6.0 2008.09.09 -
AntiVir 7.8.1.28 2008.09.08 TR/Crypt.CFI.Gen
Authentium 5.1.0.4 2008.09.09 -
Avast 4.8.1195.0 2008.09.08 -
AVG 8.0.0.161 2008.09.08 Dropper.Generic.ABDF
BitDefender 7.2 2008.09.09 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.09 -
DrWeb 4.44.0.09170 2008.09.08 Win32.HLLW.Autoruner.2685
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6078 2008.09.09 Win32/Slenfbot!generic
Ewido 4.0 2008.09.08 -
F-Prot 4.4.4.56 2008.09.08 -
F-Secure 8.0.14332.0 2008.09.09 -
Fortinet 3.112.0.0 2008.09.08 -
GData 19 2008.09.09 -
Ikarus T3.1.1.34.0 2008.09.09 VirTool.Win32.DelfInject.AF
K7AntiVirus 7.10.446 2008.09.08 -
Kaspersky 7.0.0.125 2008.09.09 -
McAfee 5379 2008.09.08 -
Microsoft 1.3903 2008.09.09 VirTool:Win32/Injector.gen!D
NOD32v2 3426 2008.09.08 a variant of Win32/Injector.CR
Norman 5.80.02 2008.09.08 -
Panda 9.0.0.4 2008.09.08 -
PCTools 4.4.2.0 2008.09.09 -
Prevx1 V2 2008.09.09 -
Rising 20.61.10.00 2008.09.09 -
Sophos 4.33.0 2008.09.09 -
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.09 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.09 -
VBA32 3.12.8.5 2008.09.08 -
ViRobot 2008.9.9.1368 2008.09.09 -
VirusBuster 4.5.11.0 2008.09.08 -
Webwasher-Gateway 6.6.2 2008.09.09 Trojan.Crypt.CFI.Gen
Information additionnelle
File size: 76800 bytes
MD5...: 945fa3ae8458e8d36761e6674e21abfd
SHA1..: 7bb1c5275031851fcf1533acc44b1ac39b2615cd

[Malekal_morte]

Kaspersky :

Hello,

x002.exe_ - Worm.Win32.AutoRun.mwc

This file is already detected. Please update your antivirus bases.

Please quote all when answering.