W32/Autorun.MWB!worm

Alias/esWorm.Win32.AutoRun.mwb(KAV), Spy-Agent.bw trojan(McAfee), WORM_AUTORUN.ASR(Trend), Worm:Win32/Emold.gen!D(MicroSoft), Trojan.Zbot-2114(ClamAV), Win32.Worm.Autorun.MF(BitDefender)
Release DateSep 10, 2008
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • Deletes itself from the current directory.

    • Detailed Analysis


  • The behavior of this variant is very similar to W32/Agent.5190!tr.dldr.

  • Downloads data from the following URLs:
    • http://dr{removed}.ru/ld.php?v=1&rs=%u&uid=1
    • http://dr{removed}.ru/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
    • http://dr{removed}.ru/ld.php?v=1&rs=%u&n=1&uid=1
    • http://dr{removed}.ru/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
    • http://dr{removed}.ru/ld.php?v=1&rs=%u&uid=1
    • http://dr{removed}.ru/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
    • http://dr{removed}.ru/ld.php?v=1&rs=%u&n=1&uid=1
    • http://dr{removed}.ru/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1

    Description Last Updated Date: Sep 15, 2008
    Reference: ID - 557440