W32/Foova.r

Type: Worm
Size: 13824 Byte
System Affected: Windows 2000,XP,NT,....

Characteristics :

1) Creates the following registry keys :


◊ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\FunotCDI32 = Pron Sex Old.exe


◊ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SystemC32 = Saba+FooVA.eXe


◊ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LoVEd-Sara = SARA16.exe


◊ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ExploreIE = Saba+FooVA.eXe


◊ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\KoMicT.Dll = SEXY-Dir.exe


◊ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\MatriX = Saba+FooVA.eXe


◊ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\Foo+VA = Saba+FooVA.eXe


2) Create the following files :

◊ %system%\ZAN72
◊ %system%\SEXY-Dir.exe
◊ %system%\Teens69.dll
◊ %WINDOWS%\Sara16.exe
◊ %WINDOWS%\Aminsw64.dll
◊ %WINDOWS%\Tbsdas.bmp
◊ %WINDOWS%\Yteew32.bat
◊ %WINDOWS%\Iran.mp3
◊ %root%\Saba+FooVA.eXe

Copyright © 1994-2008 Imen Computer Virology Laboratory I.C.V.L .
All Rights Reserved .
Mehran Rayaneh Engineering Co.