Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Pinit.AF

Aliases:Trojan-Clicker.Win32.Vesloruki.dnk (Kaspersky), Worm/Mariofev.A.26 (Avira), Worm:Win32/Mariofev.A (Microsoft) 
Type of infiltration:Worm  
Size:261120 B 
Affected platforms:Microsoft Windows 
Signature database version:4808 (20100126) 

Short description

Win32/Pinit.AF is a worm that spreads via shared folders.

Installation

When executed, the worm copies itself into the %system% folder. using the following filename:
  • cooper.mine
The following files are dropped in the same folder:
  • nmklo.dll
  • dfg5j.fw
  • feq2.zt
  • fe6hbfe1.an
  • veyi.r3
  • 3fse.sr
  • nmklo.dll
  • dfg5j.fw
  • feq2.zt
  • fe6hbfe1.an
  • veyi.r3
  • 3fse.sr
  • %variable1%
  • %variable2%
The following files are modified:
  • %system%user32.dll
  • %system%dllcacheuser32.dll
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersion
    Windows]
    "Appi%variable3%t_Dlls" = "nmklo"
This causes the worm to be executed on every application start.

A string with variable content is used instead of %variable1-3%.

The worm registers itself as a system service using the following filename:
  • OKAHAI Service
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWARE1]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINESOFTWARE6]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINESOFTWARE1]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINESOFTWARE6]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINESOFTWARE7]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINESOFTWARE8]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINESOFTWARE9]
    "31AC70412E939D72A9234CDEBB1AF5867B"
    "31897356954C2CD3D41B221E3F24F99BBA"
    "31C2E1E4D78E6A11B88DFA803456A1FFA5"

Spreading via shared folders

Win32/Pinit.AF is a worm that spreads via shared folders.

It tries to copy itself in the following folders on a remote machine:
  • \%remotecomputer%IPC$
  • \%remotecomputer%admin$
The following filenames are used:
  • GameLoft.exe
The worm contains a list of passwords that are tried when accessing remote machines.

The following usernames are used:
  • administrator
The following passwords are used:
  • 0
  • 1
  • 11
  • 13
  • 123
  • 133
  • 0
  • 1
  • 11
  • 13
  • 123
  • 133
  • 666
  • 777
  • 1212
  • 1234
  • 1313
  • 12345
  • 123456
  • 12345678
  • !@#
  • 123abc
  • a1b2c3
  • abc123
  • adm
  • admin
  • administrator
  • alex
  • andrew
  • apple
  • asa
  • avalon
  • baseball
  • bear
  • buster
  • calvin
  • canada
  • carmen
  • changeme
  • computer
  • diamond
  • donald
  • dragon
  • fuckme
  • fuckyou
  • harley
  • hello
  • hockey
  • internet
  • jordan
  • letmein
  • maggie
  • matthew
  • michael
  • michelle
  • mickey
  • mike
  • miller
  • mindy
  • money
  • mustang
  • ou812
  • pass
  • password
  • patick
  • q
  • qaz
  • qazxsw
  • qqq
  • qwerty
  • qwerty1
  • qwerty12
  • ranger
  • secret
  • service
  • shadow
  • snoopy
  • summer
  • test
  • test
  • tiger
  • tigger
  • trustno1
  • xxx
  • zaq
  • zaqwsx
  • zzz

Other information

The worm may create the following files:
  • c:work.log
  • c:crash.dmp
  • c:crashdump.log
  • %windir%mqcd.dbt
  • %system%system32cls32.exe
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion]
    "MID"
    "st"
    "dwn"
    "ccnt"
    "nhr"
The worm connects to the following addresses:
  • http://shponchik.com/gda/gate/data.php
  • http://shponchik.com/gda/gate/r.php
It can send various information about the infected computer.

The following information is collected:
  • antivirus software detected on the affected machine
  • installed software
  • operating system version