JAVA_AGENT.MVH
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It may be unknowingly downloaded by a user while visiting malicious websites.
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{175975F5-C68F-0875-C827-9225E76EAC65}
StubPath = cmd /q /c STArT "" /I /B JAVAw -classpath {malware path and filename} a
It drops the following files:
- {drive}\Autorun.inf
- %User Temp%\hsperfdata_{OS}\528
- %User Temp%\hsperfdata_{OS}\smss.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Propagation
This worm drops the following copy of itself in all physical and removable drives:
- RECYCLER\{SID}\{random characters}.{random ext}
NOTES:
It connects to the following non-malicious URLs:
- http://www.bbc.co.uk
- http://godaddy.com
- http://www.godaddy.com/default.aspx