Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Anilogo.F
|
Short description
Win32/Anilogo.F is a worm which tries to download other malware from the Internet.Installation
When executed, the worm copies itself into the following location:- %windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe (28000
B)
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run]
"TBMonEx" =
"%windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe"
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options%application%]
"Debugger" = "net"
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- 360rpt.exe
- 360Safe.exe
- 360tray.exe
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- 360rpt.exe
- 360Safe.exe
- 360tray.exe
- ACKWIN32.EXE
- ANTI-TROJAN.EXE
- APVXDWIN.EXE
- AUTODOWN.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCTRL.EXE
- AVKSERV.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVWIN95.EXE
- AVWUPD32.EXE
- BLACKD.EXE
- BLACKICE.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- CLAW95.EXE
- CLAW95CF.EXE
- CLEANER.EXE
- CLEANER3.EXE
- DVP95.EXE
- DVP95_0.EXE
- ECENGINE.EXE
- EGHOST.EXE
- ESAFE.EXE
- EXPWATCH.EXE
- F-AGNT95.EXE
- FESCUE.EXE
- FINDVIRU.EXE
- FPROT.EXE
- F-PROT.EXE
- F-PROT95.EXE
- FP-WIN.EXE
- FRW.EXE
- F-STOPW.EXE
- IAMAPP.EXE
- IAMSERV.EXE
- IBMASN.EXE
- IBMAVSP.EXE
- ICLOAD95.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPP95.EXE
- ICSUPPNT.EXE
- IFACE.EXE
- IOMON98.EXE
- Iparmor.exe
- JEDI.EXE
- KAV32.exe
- KAVPFW.EXE
- KAVsvc.exe
- KAVSvcUI.exe
- KAVsvcUI.exe
- KVFW.EXE
- KVMonXP.exe
- KVMonXP.kxp
- KVSrvXP.exe
- KVsrvXP.exe
- KVwsc.exe
- KvXP.kxp
- KWatchUI.EXE
- LOCKDOWN2000.EXE
- Logo1_.exe
- LOOKOUT.EXE
- LUALL.EXE
- MAILMON.EXE
- MOOLIVE.EXE
- MPFTRAY.EXE
- N32SCANW.EXE
- Navapsvc.exe
- Navapw32.exe
- NAVAPW32.EXE
- NAVLU32.EXE
- NAVNT.EXE
- navw32.EXE
- NAVW32.EXE
- NAVWNT.EXE
- NISUM.EXE
- NMain.exe
- NMAIN.EXE
- NORMIST.EXE
- NUPGRADE.EXE
- NVC95.EXE
- PAVCL.EXE
- PAVSCHED.EXE
- PAVW.EXE
- PCCWIN98.EXE
- PCFWALLICON.EXE
- PERSFW.EXE
- PFW.EXE
- PFW.exe
- Rav.exe
- rav.exe
- RAV7.EXE
- RAV7WIN.EXE
- RAVmon.exe
- RavMon.exe
- RAVmonD.exe
- RAVtimer.exe
- Ravtimer.exe
- Rising.exe
- rising.exe
- SAFEWEB.EXE
- SCAN32.EXE
- SCAN95.EXE
- SCANPM.EXE
- SCRSCAN.EXE
- SERV95.EXE
- SMC.EXE
- SPHINX.EXE
- SWEEP95.EXE
- TBSCAN.EXE
- TCA.EXE
- TDS2-98.EXE
- TDS2-NT.EXE
- THGUARD.EXE
- TrojanHunter.exe
- VET95.EXE
- VETTRAY.EXE
- VSCAN40.EXE
- VSECOMR.EXE
- VSHWIN32.EXE
- VSSTAT.EXE
- WEBSCANX.EXE
- WFINDV32.EXE
- ZONEALARM.EXE
Spreading on removable media
The worm copies itself into the root folders of fixed and/or removable drives using the following filename:- %drive%ntldr.exe (28000 B)
- %drive%autorun.inf
Executable file infection
Win32/Anilogo.F can infect executable files.The worm searches local and network drives for files with one of the following extensions:
- .exe
- Common Files
- Internet Explorer
- recycler
- system volume information
- windows
- Windows NT
- Common Files
- Internet Explorer
- recycler
- system volume information
- windows
- Windows NT
- winnt
- AdBalloonExt.exe
- BackgroundDownloader.exe
- BugReport.exe
- CA.exe
- CONFIG.exe
- CoralQQ.exe
- AdBalloonExt.exe
- BackgroundDownloader.exe
- BugReport.exe
- CA.exe
- CONFIG.exe
- CoralQQ.exe
- dzh.exe
- fb3.exe
- Findbug.EXE
- game.exe
- GAME2.EXE
- GAME3.EXE
- Game4.exe
- hypwise.exe
- KartRider.exe
- laizi.exe
- Launcher.exe
- Lobby_Setup.exe
- Meteor.exe
- mir.exe
- nettools.exe
- NMCOSrv.exe
- NMService.exe
- o2_unins_web.exe
- O2Jam.exe
- O2JamPatchClient.exe
- O2Mania.exe
- O2ManiaDriverSelect.exe
- OTwo.exe
- patchupdate.exe
- PES5.exe
- PES6.exe
- proxy.exe
- QQ.exe
- QQexternal.exe
- ra2.exe
- ra21006ch.exe
- ra3.exe
- ra4.exe
- Repair.exe
- Roadrash.exe
- settings.exe
- sTwo.exe
- tm.exe
- Updater.exe
- WE8.exe
- WoW.exe
- zhengtu.exe
- ztconfig.exe
The host file is modified in a way that causes the worm to be executed prior to running the original code.
The size of the inserted code is 29 KB.
Other information
The worm acquires data and commands from a remote computer or the Internet.The worm contains a list of (7) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- %windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe.tmp
- %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.tmp
- %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.vxd
- %windir%Fontssyn00-23-7D-C5-B7-B9system10074.INC
- %windir%Fontssyn00-23-7D-C5-B7-B9system%variable1%
- %variable2%.bat
- %windir%Fontssyn00-23-7D-C5-B7-B9systemsmss.exe.tmp
- %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.tmp
- %windir%Fontssyn00-23-7D-C5-B7-B9systemSYSTEM128.vxd
- %windir%Fontssyn00-23-7D-C5-B7-B9system10074.INC
- %windir%Fontssyn00-23-7D-C5-B7-B9system%variable1%
- %variable2%.bat
- ani.ani
The worm may set the following Registry entries:
- [HKEY_CURRENT_USERControl PanelCursors]
"AppStarting" = "%systemroot%Cursors3dwarro.cur"
"AppStarting" = "" - [HKEY_LOCAL_MACHINESOFTWAREGoogleBA]
"setup" = "yes"
- explorer.exe
- iexplore.exe
