Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The worm tries to copy itself into shared folders of machines on a local network.
Installation
When executed, the worm copies itself in the %system% folder using the following name:
  • aston.mt (126976 B)
The following files are dropped in the same folder:
  • nvaux32.dll (237576 B)
  • e.spa (32768 B)
  • adj.j (32768 B)
  • devh.e2 (37376 B)
  • rdxz.e (63488 B)
The worm may create copies of the following files (source, destination):
  • %system%\user32.dll, %system%\%variable%
A string with variable content is used instead of %variable% .

The following file is modified:
  • %system%\user32.dll
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Windows]
    "%variable%Init_Dlls" = "nvaux32"
A string with variable content is used instead of %variable% .
Spreading via shared folders
Win32/Pinit.B is a worm that spreads via shared folders.

The worm tries to copy itself into shared folders of machines on a local network.

The following usernames are used:
  • administrator
The following passwords are used:
  • 0
  • 1
  • 11
  • 13
  • 123
If successful the following filename is used:
  • MarioForever.exe
  • %system%\cls.exe
The file is then remotely executed.

The worm registers itself as a system service using the following filename:
  • OKAMAI Service
Information stealing
Win32/Pinit.B is a worm that steals passwords and other sensitive information. The worm can send the information to a remote machine. The HTTP protocol is used.
Other information
The worm alters the behavior of the following processes:
  • avgcc.exe
  • zlclient.exe
  • zlclient.exe
  • kavpf.exe
  • lspfix.exe
The worm launches the following processes:
  • cmd.exe
  • ftp.exe
  • net.exe
The following files are deleted:
  • %system%\pla.ax
  • %system%\paso.el
  • %system%\ntpl.bin
  • %system%\aston.mt
The worm can download and execute a file from the Internet.