W32/AutoRun.MYY!worm - Released Sep 10, 2008 - Last Updated Sep 15, 2008
|
Alias/esWorm.Win32.AutoRun.myy(KAV), Spy-Agent.bw.gen.g(McAfee), Adware/RogueAntimalware2008(Panda), Trojan.Downloader.Kobcka.D(BitDefender), Trojan.Zbot-2114(ClamAV) |
Detection Availability
|
Visible SymptomsDeletes itself from the current directory. |
Detailed Analysis
The behavior of this variant is very similar to W32/Agent.5190!tr.dldr.
Downloads data from the following URLs:
- http://aas{removed}.ru/load4/ld.php?v=1&rs=%u&uid=1
- http://aas{removed}.ru/load4/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
- http://aas{removed}.ru/load4/ld.php?v=1&rs=%u&n=1&uid=1
- http://aas{removed}.ru/load4/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
- http://aas{removed}.ru/loadx/ld.php?v=1&rs=%u&uid=1
- http://aas{removed}.ru/loadx/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
- http://aas{removed}.ru/loadx/ld.php?v=1&rs=%u&n=1&uid=1
- http://aas{removed}.ru/loadx/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
