WORM_CMDLOH.AA
P2P-Worm.Win32.CMDloh.b (Kaspersky); Worm:Win32/Autorun.ABS (Microsoft)
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain websites to send and receive information.
TECHNICAL DETAILS
Arrival Details
This worm arrives via peer-to-peer (P2P) shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\wcynsvc.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wnetwisk
ImagePath = "%System%\wcynsvc.exe"
Other Details
This worm connects to the following website to send and receive information:
- {BLOCKED}ng55.{BLOCKED}2.org
- {BLOCKED}ng33.{BLOCKED}p.net