W32/Drowor.worm may get send around using a deceiving filename Google Earth .scr. Aliases TR/VB.aei (H+BEDV) Virus.Win32.Drowor.b (Kaspersky) W32/Drowor (McAfee) Win32.Drowor.A (Virusbuster) Worm.VB-117 (Clamav) Worm/VB.6.A (Grisoft) Characteristics Characteristics - W32/Drowor.worm may get send around using a deceiving filename "Google Earth .scr" , having a filesize of 58.736 bytes decimal.
The file is written in MSVB5 and it is not internally compressed with a packer. Upon running in our test environment an error message was encountered that it needs the dynamic link library called "thumbs .db". It didn't copy itself onto another location on the system nor did it drop other files or make registry entries. It failed to spread to other test systems in our test environment. Looking at the code it seems to have Asian origin - possibly Indonesian, an example is the word "Surabaya". It tries to modify the file autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer" If msvb60.dll gets copied to thumbs .db it might infect other binary files that are in the same directory as the malware was run from. These infections will be triggered upon with W32/Drowor. The infection routine does not work always. Symptoms Symptoms - Presence of the file "Google Earth .scr" , having a filesize of 58.736 bytes decimal.
Unexpected messages apprearing with Asian origin - possibly Indonesian, an example is the word "Surabaya". Modified autoexec.bat to display a message upon system start: "Don't kill me, i'm just send message from your computer" Modified PE binary files Method of Infection Method of Infection - Manual infection - there's no exploit associated with it. Removal - Removal - All Users: Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment