Discovered: May 4, 2006
Updated: May 4, 2006 10:35:26 AM
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Amirecivel is a worm that attempts to spread via the Kazaa file-sharing network and hides security-related windows.
Once executed, the worm copies itself as the following files:
%System%\svchot.exe
C:\Program Files\Kazaa\My Shared Folder\kaza.cmd
C:\Program Files\Kazaa\My Shared Folder\iraq.pic.scr
C:\Program Files\Kazaa\My Shared Folder\CIVIL.exe
D:\amir_civil.cmd
D:\SCREEN_SAVER.scr
D:\SCREEN_SAVER2.scr
D:\Program Files\Kazaa\My Shared Folder\iran.pic.pif
E:\002.pic.pif
E:\amir_civil.scr
F:\amir_civil3.scr
E:\cool.pic.scr
E:\winx32.pif
F:\iran.scr
F:\iran_02.scr
G:\amir_civil.cmd
G:\anti_virus(norton).doc.cmd
The worm searches all folders and subfolders under the C: drive. If it finds any folder which contains an "r" in the path, then it copies itself as the following file:
%CurrentFolder%\project2.exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"amircivil" = "%System%\svchot.exe..."
The worm creates the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\amir_civil
The worm hides windows with the following class names, some of which are windows for security-related programs:
NAVAP Wnd Class
MGHTML_DLG_CLASS
#32770
ConsoleWindowClass
notepad
The worm then restarts the computer.
Writeup By: Hatsuho Honda
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine