Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Boberog.AQ

Aliases:Heur.Trojan.Generic (Kaspersky), Worm:Win32/Pushbot (Microsoft), W32/Heuristic-257!Eldorado (F-Prot) 
Type of infiltration:Worm  
Size:53912 B 
Affected platforms:Microsoft Windows 
Signature database version:5021 (20100412) 

Short description

Win32/Boberog.AQ is a worm that spreads via IM networks. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:
  • %desktop%dlll.exe (53912 B)
  • %appdata%dlll.exe (53912 B)
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "Windows System Guard" = "%desktop%dlll.exe"
    "Windows System Guard" = "%appdata%dlll.exe"
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "Windows System Guard" = "%desktop%dlll.exe"
    "Windows System Guard" = "%appdata%dlll.exe"

Spreading via IM networks

Win32/Boberog.AQ is a worm that spreads via IM networks.

The worm sends links to MSN, Yahoo, ICQ, Skype, AIM, Paltalk users.

The message contains a URL link to a website containing malware.

If the link is clicked a copy of the worm is downloaded.

The messages may contain any of the following texts:
  • olhar para esta foto :D %url%
  • se på dette bildet :D %url%
  • bekijk deze foto :D %url%
  • schau mal das foto an :D %url%
  • look at this picture :D %url%
  • mira esta fotografía :D %url%
  • olhar para esta foto :D %url%
  • se på dette bildet :D %url%
  • bekijk deze foto :D %url%
  • schau mal das foto an :D %url%
  • look at this picture :D %url%
  • mira esta fotografía :D %url%
  • regardez cette photo :D %url%
  • guardare quest'immagine :D %url%
  • podívejte se na mou fotku :D %url%
  • ser på dette billede :D %url%
  • nézd meg a képet :D %url%
  • spojrzec na to zdjecie :D %url%
  • bu resmi bakmak :D %url%
  • katso tätä kuvaa :D %url%
  • uita-te la aceasta fotografie :D %url%
  • pozrite sa na túto fotografiu :D %url%
  • titta på denna bild :D %url%
  • poglej to fotografijo :D %url%
  • pogledaj to slike :D %url%
  • seen this?? :D %url%

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
  • winupdservice.net
The IRC protocol is used in the communication.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via IM networks
  • perform DoS/DDoS attacks
  • collect information about the operating system used