WORM_CMDLOH.AA
P2P-Worm.Win32.CMDloh.b (Kaspersky); Worm:Win32/Autorun.ABS (Microsoft)
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain websites to send and receive information.
TECHNICAL DETAILS
102,400 bytes
EXE
14 Feb 2012
Arrival Details
This worm arrives via peer-to-peer (P2P) shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\wcynsvc.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wnetwisk
ImagePath = "%System%\wcynsvc.exe"
Other Details
This worm connects to the following website to send and receive information:
- {BLOCKED}ng55.{BLOCKED}2.org
- {BLOCKED}ng33.{BLOCKED}p.net