PE_ROACH.A
Worm:Win32/Roach.A@mm(Microsoft), W32.Efortune.31384@mm(Symantec), Email-Worm.Win32.Roach.A(Ikarus), probably unknown NewHeur_PE virus(Eset)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector may be dropped by other malware.
It requires its main component to successfully perform its intended routine.
TECHNICAL DETAILS
60,416 bytes
EXE
Yes
23 Sep 2011
Arrival Details
This file infector may be dropped by other malware.
Installation
This file infector drops the following files:
- %Windows%\kernel32.dll
- %Windows%\WININIT.INI
- %System%\cookie.att
- %System%\kernel32.vll
(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This file infector adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
mmsys = "%User Temp%\mmsys32.exe"
File Infection
This is the Trend Micro detection for files infected by:
- PE_ROACH
Other Details
This file infector connects to the following possibly malicious URL:
- {BLOCKED}n.nl.eu.undernet.org
- pop.{BLOCKED}net.com
It requires its main component to successfully perform its intended routine.