Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Anilogo.F

Aliases:Worm.Win32.Anilogo.f (Kaspersky), W32.Mumawow.F (Symantec), TrojanDownloader:Win32/Cekar.gen!A (Microsoft) 
Type of infiltration:Worm  
Size:28000 B 
Affected platforms:Microsoft Windows 
Signature database version:2766 (20080104) 

Short description

Win32/Anilogo.F is a worm which tries to download other malware from the Internet.

Installation

When executed, the worm copies itself into the following location:
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe (28000
    B)
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "TBMonEx" =
    "%windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options%application%]
    "Debugger" = "net"
The %application% is one of the following strings:
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • 360rpt.exe
  • 360Safe.exe
  • 360tray.exe
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • 360rpt.exe
  • 360Safe.exe
  • 360tray.exe
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EGHOST.EXE
  • ESAFE.EXE
  • EXPWATCH.EXE
  • F-AGNT95.EXE
  • FESCUE.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • Iparmor.exe
  • JEDI.EXE
  • KAV32.exe
  • KAVPFW.EXE
  • KAVsvc.exe
  • KAVSvcUI.exe
  • KAVsvcUI.exe
  • KVFW.EXE
  • KVMonXP.exe
  • KVMonXP.kxp
  • KVSrvXP.exe
  • KVsrvXP.exe
  • KVwsc.exe
  • KvXP.kxp
  • KWatchUI.EXE
  • LOCKDOWN2000.EXE
  • Logo1_.exe
  • LOOKOUT.EXE
  • LUALL.EXE
  • MAILMON.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • Navapsvc.exe
  • Navapw32.exe
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • navw32.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMain.exe
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • PFW.EXE
  • PFW.exe
  • Rav.exe
  • rav.exe
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAVmon.exe
  • RavMon.exe
  • RAVmonD.exe
  • RAVtimer.exe
  • Ravtimer.exe
  • Rising.exe
  • rising.exe
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • THGUARD.EXE
  • TrojanHunter.exe
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

Spreading on removable media

The worm copies itself into the root folders of fixed and/or removable drives using the following filename:
  • %drive%ntldr.exe (28000 B)
The following file is dropped in the same folder:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Executable file infection

Win32/Anilogo.F can infect executable files.

The worm searches local and network drives for files with one of the following extensions:
  • .exe
It avoids files which contain any of the following strings in their path:
  • Common Files
  • Internet Explorer
  • recycler
  • system volume information
  • windows
  • Windows NT
  • Common Files
  • Internet Explorer
  • recycler
  • system volume information
  • windows
  • Windows NT
  • winnt
It avoids files with the following filenames:
  • AdBalloonExt.exe
  • BackgroundDownloader.exe
  • BugReport.exe
  • CA.exe
  • CONFIG.exe
  • CoralQQ.exe
  • AdBalloonExt.exe
  • BackgroundDownloader.exe
  • BugReport.exe
  • CA.exe
  • CONFIG.exe
  • CoralQQ.exe
  • dzh.exe
  • fb3.exe
  • Findbug.EXE
  • game.exe
  • GAME2.EXE
  • GAME3.EXE
  • Game4.exe
  • hypwise.exe
  • KartRider.exe
  • laizi.exe
  • Launcher.exe
  • Lobby_Setup.exe
  • Meteor.exe
  • mir.exe
  • nettools.exe
  • NMCOSrv.exe
  • NMService.exe
  • o2_unins_web.exe
  • O2Jam.exe
  • O2JamPatchClient.exe
  • O2Mania.exe
  • O2ManiaDriverSelect.exe
  • OTwo.exe
  • patchupdate.exe
  • PES5.exe
  • PES6.exe
  • proxy.exe
  • QQ.exe
  • QQexternal.exe
  • ra2.exe
  • ra21006ch.exe
  • ra3.exe
  • ra4.exe
  • Repair.exe
  • Roadrash.exe
  • settings.exe
  • sTwo.exe
  • tm.exe
  • Updater.exe
  • WE8.exe
  • WoW.exe
  • zhengtu.exe
  • ztconfig.exe
Files are infected by adding a new section that contains the worm .

The host file is modified in a way that causes the worm to be executed prior to running the original code.

The size of the inserted code is 29 KB.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (7) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
The worm may create the following files:
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe.tmp
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.tmp
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.vxd
  • %windir%Fontssyn00-23-7D-C5-B7-B9system10074.INC
  • %windir%Fontssyn00-23-7D-C5-B7-B9system%variable1%
  • %variable2%.bat
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe.tmp
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.tmp
  • %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.vxd
  • %windir%Fontssyn00-23-7D-C5-B7-B9system10074.INC
  • %windir%Fontssyn00-23-7D-C5-B7-B9system%variable1%
  • %variable2%.bat
  • ani.ani
A string with variable content is used instead of %variable1-2%.

The worm may set the following Registry entries:
  • [HKEY_CURRENT_USERControl PanelCursors]
    "AppStarting" = "%systemroot%Cursors3dwarro.cur"
    "AppStarting" = ""
  • [HKEY_LOCAL_MACHINESOFTWAREGoogleBA]
    "setup" = "yes"
The worm launches the following processes:
  • explorer.exe
  • iexplore.exe