WORM_VOBFUS.PY
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
TECHNICAL DETAILS
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %User Profile%\paoni.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Autostart Technique
This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
paoni = "%User Profile%\paoni.exe /n"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
paoni = "%User Profile%\paoni.exe /g"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\paoni.exe /r"
(Note: The default value data of the said registry entry is "".)
Other System Modifications
This worm modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSupperHidden = "00000001"
(Note: The default value data of the said registry entry is 00000000.)
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}1.{BLOCKED}date{random}.{random}