WORM_CONFUSER.A
RDN/Generic.hra!j (McAfee), Troj/Agent-AANA (Sophos), W32/Injector_Autoit.GI (Fortinet), Trojan.Win32.Scarsi (Ikarus), Win32/Injector.Autoit.GI trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Propagates via removable drives, Propagates via social networking sites, Spammed via email
This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives via removable drives. It may arrive on a system by clicking spammed malicious links on the social networking site Facebook.
It contains errors in its code. This stops it from performing its routines.
TECHNICAL DETAILS
978,653 bytes
EXE
AutoIt
Yes
09 Mar 2013
Arrival Details
This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It arrives via removable drives.
It may arrive on a system by clicking spammed malicious links on the social networking site Facebook.
Installation
This worm injects codes into the following process(es):
- mshta.exe
Other Details
This worm checks for the presence of the following process(es):
- egui.exe
It contains errors in its code. This stops it from performing its routines.
NOTES:
It attemps to create an autorun registry to ensure its automatic execution every system startup to the following key:
HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run
It intends to propagate through the following:
- removable drives
- local networks
- Facebook messages
It attempts to disable AV software.
It checks if it is running under the following BIOS versions and Virtualization Software or Sandbox:
BIOS versions:
- AMI - 8000314
- AMI - 9000816
- AMI - 6000901
- AMI - 2000622
- AL - 1000831
Virtualization Software:
- Virtual Machine
- Virtual PC 2007
- Virual Server 2005 R2
- Virual Server 2005 R2 SP1
- Windows Virtual PC
SOLUTION
9.300
9.776.02
09 Mar 2013
9.777.00
09 Mar 2013
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product and note files detected as WORM_CONFUSER.A
Step 3
Restart in Safe Mode
Step 4
Search and delete files detected as WORM_CONFUSER.A
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_CONFUSER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.