Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/Boberog.AQ

Aliases:	Heur.Trojan.Generic (Kaspersky), Worm:Win32/Pushbot (Microsoft), W32/Heuristic-257!Eldorado (F-Prot)
Type of infiltration:	Worm
Size:	53912 B
Affected platforms:	Microsoft Windows
Signature database version:	5021 (20100412)

Short description

Win32/Boberog.AQ is a worm that spreads via IM networks. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:

%desktop%dlll.exe (53912 B)
%appdata%dlll.exe (53912 B)

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run]
"Windows System Guard" = "%desktop%dlll.exe"
"Windows System Guard" = "%appdata%dlll.exe"
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
Run]
"Windows System Guard" = "%desktop%dlll.exe"
"Windows System Guard" = "%appdata%dlll.exe"

Spreading via IM networks

Win32/Boberog.AQ is a worm that spreads via IM networks.

The worm sends links to MSN, Yahoo, ICQ, Skype, AIM, Paltalk users.

The message contains a URL link to a website containing malware.

If the link is clicked a copy of the worm is downloaded.

The messages may contain any of the following texts:

olhar para esta foto :D %url%
se p� dette bildet :D %url%
bekijk deze foto :D %url%
schau mal das foto an :D %url%
look at this picture :D %url%
mira esta fotograf�a :D %url%

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:

winupdservice.net

The IRC protocol is used in the communication.

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
spread via IM networks
perform DoS/DDoS attacks
collect information about the operating system used