Encountered worm. usbspy. A/worm. win32.delf. AJ

Source: Internet
Author: User

EndurerOriginal

2006-01Version

A friend of mine sent his mobile hard disk to a computer and used it normally in the morning. However, there was an error message about data protection in the afternoon.

This friend's computer uses Win XP SP2. Because it is not connected to the Internet, he cannot download software such as hijackthis from the Internet for analysis.

The task manager finds a process named wincfgs.exe. the icon is a yellow question mark, which is suspicious and stops.

Open the Command Prompt window to search for files:
/------------
C:/Documents and Settings/user> attrib/wincfgs *. */s
Shr c:/Windows/system32/wincfgs.exe
------------/
The file is stored in C:/Windows/system32 and has system, hidden, and read-only attributes. It is backed up by WinRAR and deleted.

Open the Registry Editor and search for items that contain "wincfgs ".
/------------
[HKEY_CURRENT_USER/software/Microsoft/Windows NT/CurrentVersion/Windows]
"Load" = "C: // windows // system32 // wincfgs.exe"
------------/

Check the mobile hard disk and find autorun. inf in the root directory. The file content is as follows:
/----------
[Autorun]
Open =./recycler/autorun.exe

Shell/1 = open
Shell/1/command =./recycler/autorun.exe
Shell/2/= Browser
Shell/2/command =./recycler/autorun.exe

ShellExecute =./recycler/autorun.exe
----------/
A file named autorun.exe is hidden in the recycle bin.
By using fccommand, autorun.exe is exactly the same as wincfgs.exe.

RisingWorm. usbspy..

Status: finished

Complete scanning result of "wincfgs.exe", received in virustotal at 09.12.2006, 06:40:13 (CET ).

Antivirus Version Update Result
AntiVir 7.1.1.16 09.11.2006 Worm/Delf. aj.1
Authentium 4.93.8 09.11.2006 W32/sillyworm. Re
Avast 4.7.844.0 09.11.2006 Win32: Delf-aqt
AVG 386 09.11.2006 Worm/Delf. GW
BitDefender 7.2 09.12.2006 Trojan. Agent. AAE
Cat-quickheal 8.00 09.11.2006 Worm. Delf. AJ
ClamAV Devel-20060426 09.12.2006 Worm. Delf-21
Drweb 4.33 09.11.2006 Trojan. muldrop.3780
ETrust-inoculateit 23.72.122 09.12.2006 Win32/usbspy.1pk! Trojan
ETrust-vet 30.3.3071 09.11.2006 Win32/bypuss.
Ewido 4.0 09.11.2006 Worm. Delf. AJ
Fortinet 2.77.0.0 09.11.2006 W32/Delf. AJ! Worm
F-Prot 3.16f 09.11.2006 W32/sillyworm. Re
F-Prot4 4.2.1.29 09.11.2006 W32/sillyworm. Re
Ikarus 0.2.65.0 09.11.2006 No virus found
Kaspersky 4.0.2.24 09.12.2006 Worm. win32.delf. AJ
McAfee 4849 09.11.2006 Generic MultiDropper. B
Microsoft 1.1560 09.12.2006 No virus found
Nod32v2 1.1750 09.11.2006 Win32/Delf. AJ
Norman 5.90.23 09.11.2006 W32/Delf. Omo
Panda 9.0.0.4 09.11.2006 Adware/look2me
Sophos 4.09.0 09.11.2006 W32/Delf-Crk
Symantec 8.0 09.12.2006 No virus found
Thehacker 5.9.8.209 09.11.2006 W32/Delf. AJ
Una 1.83 09.11.2006 Worm. win32.delf
Vba32 3.11.1 09.12.2006 Worm. win32.delf. AJ
Virusbuster 4.3.7: 9 09.11.2006 Worm. Delf. azx

Aditional Information

File Size: 47104 bytes

MD5: 07adddef653a702b9a11edbcee07e82b

Sha1: 97729f6df1cd96b61e3e2bc1a841adf1720e2ec5

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.