JAVA_AGENT.MVI
Windows 2000 ,Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It may be unknowingly downloaded by a user while visiting malicious websites.
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{175975F5-C68F-0875-C827-9225E76EAC65}
StubPath = cmd /q /c STArT "" /I /B JAVAw -classpath %User Temp%\jar_cache4680028483526636544.tmp a
It drops the following files:
- {drive}\Autorun.inf
- %User Temp%\hsperfdata_{OS}\528
- %User Temp%\hsperfdata_{OS}\smss.exe
- %User Temp%\hsperfdata_{OS}\Ticr.Dll
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Propagation
This worm drops the following copy of itself in all physical and removable drives:
- RECYCLER\{SID}\{random characters}.{random ext}