« Go Shoemoney Go!
W32.Mytob.PP@mm Virus Discovered Today »

W32.Browaf Virus discovered today

W32.Browaf is a worm that sends a link to a copy of itself via Yahoo Instant Messenger and MIRC. It also modifies the Internet Explorer Home page.
Once executed, W32.Browaf performs the following actions:

  1. Creates the following files:
    • %UserProfile%\Start Menu\Internet Browser.lnk
    • %UserProfile%\Start Menu\Programs\Startup\YMSND.lnk
    • %Temp%\Startup.exe
    • C:\YSND\Ysnd.exe
    • %Temp%\Browser.exe
    • %Temp%\FtpBrowser.exe
    • %Temp%\Sys.dll
    • %Temp%\icon.icoNote:
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
  2. Adds the value:"IE" = "C:\YSND\Ysnd.exe"

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that it is executed every time Windows starts.

  3. Creates the following registry subkey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ThePowerGoat
  4. Modifies the values:"Local Page" = [http://]lamanweb.com/install/inde[REMOVED]"
    "Start Page" = "    [http://]lamanweb.com/install/inde[REMOVED]"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

    to change settings in Internet Explorer.

  5. Modifies the values:"Default_Page_URL" = "[http://]lamanweb.com/install/inde[REMOVED]"
    "HpDed" =     "[http://]lamanweb.com/install/inde[REMOVED]"
    "Local Page" = "[http://]lamanweb.com/install/inde[REMOVED]"
    "Start Page" = "[http://]lamanweb.com/install/inde[REMOVED]"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main

    to change settings in Internet Explorer.

  6. Spreads by sending a link to itself via Yahoo Instant Messenger or MIRC sessions.
  7. Connects to the following URL to download commands from a remote attacker and IM messages to use while spreading:[http://]lamanweb.com/comma[REMOVED]
  8. Adds itself to the Start Menu as an icon called Internet Browser.
  9. Displays the following message: Title: Download OK
    Message: Complete Downloading....

  10. Displays the following message: Please wait....

Explore posts in the same categories: Computer Virus Detection and Removal

This entry was posted on May 24, 2006 at 3:19 pm and is filed under Computer Virus Detection and Removal. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

Comment: