Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Bogoj.B is a worm that spreads via removable media. The file is run-time compressed using Astrum SFX .
Installation
When executed, the worm drops the following files in the %windir% folder:
  • lsass.exe (77824 B)
  • nerodigit16.inf (20480 B)
  • services.exe (53248 B)
  • uninstlv16.exe (32768 B)
The following file is dropped in the %temp% folder:
  • errir.exe (20480 B)
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
    Components\{%variable%}]
    "StubPath" = "%windir%\uninstlv16.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\torn.exe\torn]
    "Directory" = "%program_files%\torn"
    "Version" = "1.00"
    "Uninstaller" = "%windir%\torn uninstaller.exe"
The worm displays a fake error message:
Spreading on removable media
The worm creates the following folders:
  • %drive%\tg_root
The following file is dropped in the same folder:
  • uninstall.exe
The worm creates the following file:
  • %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
Win32/Bogoj.B is a worm that steals passwords and other sensitive information. The data is saved in the following file:
  • %userprofile%\feedback.html
The worm is able to log keystrokes. The worm can send the information to a remote machine. The worm contains a list of (1) URLs. The HTTP protocol is used.
Other information
The worm encrypts files on local disks. The extension of the encrypted files is changed to:
  • .xnc
The worm deletes the original file. It avoids files which contain any of the following strings in their path:
  • \%windir%\
  • \Program Files\
  • \Boot\
  • \ProgramData\Microsoft\
  • \Users\All Users\Microsoft\
It avoids files with the following extensions:
  • .ini
  • .sys
  • .dll
  • .log
  • .com
When searching the drives, the worm creates the following file in every folder visited:
  • read this.txt
It contains the following text:
  • Hello,
  • As you probably already noticed, your files on this Pc/laptop are
    encrypted.
  • That means you cant use them before you decrypt them.
  • Decrypthing these files without password and proper software is
    impossible.
  • Im the only person in the world who has password and software you
    need to decrypt your files.
The worm creates the following files:
  • %windir%\javainstal5.log