EndurerOriginal
2006-01Version
A friend of mine sent his mobile hard disk to a computer and used it normally in the morning. However, there was an error message about data protection in the afternoon.
This friend's computer uses Win XP SP2. Because it is not connected to the Internet, he cannot download software such as hijackthis from the Internet for analysis.
The task manager finds a process named wincfgs.exe. the icon is a yellow question mark, which is suspicious and stops.
Open the Command Prompt window to search for files:
/------------
C:/Documents and Settings/user> attrib/wincfgs *. */s
Shr c:/Windows/system32/wincfgs.exe
------------/
The file is stored in C:/Windows/system32 and has system, hidden, and read-only attributes. It is backed up by WinRAR and deleted.
Open the Registry Editor and search for items that contain "wincfgs ".
/------------
[HKEY_CURRENT_USER/software/Microsoft/Windows NT/CurrentVersion/Windows]
"Load" = "C: // windows // system32 // wincfgs.exe"
------------/
Check the mobile hard disk and find autorun. inf in the root directory. The file content is as follows:
/----------
[Autorun]
Open =./recycler/autorun.exe
Shell/1 = open
Shell/1/command =./recycler/autorun.exe
Shell/2/= Browser
Shell/2/command =./recycler/autorun.exe
ShellExecute =./recycler/autorun.exe
----------/
A file named autorun.exe is hidden in the recycle bin.
By using fccommand, autorun.exe is exactly the same as wincfgs.exe.
RisingWorm. usbspy..
Status: finished
Complete scanning result of "wincfgs.exe", received in virustotal at 09.12.2006, 06:40:13 (CET ).
Antivirus |
Version |
Update |
Result |
AntiVir |
7.1.1.16 |
09.11.2006 |
Worm/Delf. aj.1 |
Authentium |
4.93.8 |
09.11.2006 |
W32/sillyworm. Re |
Avast |
4.7.844.0 |
09.11.2006 |
Win32: Delf-aqt |
AVG |
386 |
09.11.2006 |
Worm/Delf. GW |
BitDefender |
7.2 |
09.12.2006 |
Trojan. Agent. AAE |
Cat-quickheal |
8.00 |
09.11.2006 |
Worm. Delf. AJ |
ClamAV |
Devel-20060426 |
09.12.2006 |
Worm. Delf-21 |
Drweb |
4.33 |
09.11.2006 |
Trojan. muldrop.3780 |
ETrust-inoculateit |
23.72.122 |
09.12.2006 |
Win32/usbspy.1pk! Trojan |
ETrust-vet |
30.3.3071 |
09.11.2006 |
Win32/bypuss. |
Ewido |
4.0 |
09.11.2006 |
Worm. Delf. AJ |
Fortinet |
2.77.0.0 |
09.11.2006 |
W32/Delf. AJ! Worm |
F-Prot |
3.16f |
09.11.2006 |
W32/sillyworm. Re |
F-Prot4 |
4.2.1.29 |
09.11.2006 |
W32/sillyworm. Re |
Ikarus |
0.2.65.0 |
09.11.2006 |
No virus found |
Kaspersky |
4.0.2.24 |
09.12.2006 |
Worm. win32.delf. AJ |
McAfee |
4849 |
09.11.2006 |
Generic MultiDropper. B |
Microsoft |
1.1560 |
09.12.2006 |
No virus found |
Nod32v2 |
1.1750 |
09.11.2006 |
Win32/Delf. AJ |
Norman |
5.90.23 |
09.11.2006 |
W32/Delf. Omo |
Panda |
9.0.0.4 |
09.11.2006 |
Adware/look2me |
Sophos |
4.09.0 |
09.11.2006 |
W32/Delf-Crk |
Symantec |
8.0 |
09.12.2006 |
No virus found |
Thehacker |
5.9.8.209 |
09.11.2006 |
W32/Delf. AJ |
Una |
1.83 |
09.11.2006 |
Worm. win32.delf |
Vba32 |
3.11.1 |
09.12.2006 |
Worm. win32.delf. AJ |
Virusbuster |
4.3.7: 9 |
09.11.2006 |
Worm. Delf. azx |
Aditional Information
File Size: 47104 bytes
MD5: 07adddef653a702b9a11edbcee07e82b
Sha1: 97729f6df1cd96b61e3e2bc1a841adf1720e2ec5