| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | ews, October 8 2007 |
cut-n-paste from sophos.com]
Name W32/SillyFDC-AY
Type
* Worm
How it spreads
* Removable storage devices
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/SillyFDC-AY is a worm for the Windows platform.
Advanced
W32/SillyFDC-AY is a worm for the Windows platform.
When run W32/SillyFDC-AY copies itself to the following locations:
\My Documents\sex.scr
\Documents\Linkin park.scr
\Documents\sex.scr
\svhost.exe
\Restore\razor.exe
\ami.exe
\disdn\mirc.exe
W32/SillyFDC-AY also creates the files:
\mhjo.log
\rz.txt
\drivers\td.txt
\drives\etc\td.txt
\Restore\rstrlog.dat
These files can be safely deleted.
W32/SillyFDC-AY spreads via removable shared drives and via Yahoo! Messenger.
W32/SillyFDC-AY sets the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ami.exe
\ami.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mirc.exe
\disdn\mirc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
razor.exe
\Restore\razor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rz.scr
\Restore\rz.scr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svhost.exe
\svhost.exe
W32/SillyFDC-AY also sets the following registry entries:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SYSTEM\CurrentControlSet\Control
SafeBoot
Razor worm
HKCU\Software\Microsoft\Windows Script\Settings
JITDebug
0
HKCU\Software\yahoo\pager\FileTransfer
Virus Checker
nothing
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\S
--- Platinum Xpress/Win/WINServer v3.0pr5
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2 SEEN-BY: 226/0 229/4000 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 SEEN-BY: 280/1027 320/119 393/68 633/260 262 267 285 712/848 800/432 801/161 SEEN-BY: 801/189 2222/700 2320/105 200 2800/18 2905/0 @PATH: 123/140 500 261/38 633/260 267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.