Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/Inject.NDR

Aliases:	Worm.Win32.AutoRun.bliz (Kaspersky), Trojan:Win32/Rimecud (Microsoft), W32.Pilleuz (Symantec)
Type of infiltration:	Worm
Size:	319488 B
Affected platforms:	Microsoft Windows
Signature database version:	5207 (20100618)

Short description

Win32/Inject.NDR is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

%appdata%djjqs.exe

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Winlogon]
"Taskman" = "%appdata%djjqs.exe"
"Shell" = "explorer.exe,%appdata%djjqs.exe"

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:

little.exe

The following file is dropped in the same folder:

autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm creates and runs a new thread with its own program code within the following processes:

explorer.exe

The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).

It can execute the following operations:

perform DoS/DDoS attacks
download files from a remote computer and/or the Internet
run executable files
set up a proxy server
spread via MSN network