New Worm Name : W32.Fubalca.E-
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the worm executes, it copies itself to the following location:
- %System%\servet.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
- \AutoRun.inf
- %System%\drivers\klick.sys
Servicename:WindowsDownService
description: Windows
The worm creates the following registry subkey for the above service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown
The worm uses advanced techniques to hide itself on the computer as the following file: %System%\svchost.exe
Once the worm has completed its installation, it deletes itself.
The worm then attempts to download and execute the following malicious files every sixty seconds:
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/[REMOVED]
- [http://]www.18dmm.com/arp/10.[REMOVED]
- [http://]www.18dmm.com/arp/11.[REMOVED]
- [http://]www.18dmm.com/arp/12.[REMOVED]
- [http://]www.18dmm.com/arp/13.[REMOVED]
- [http://]www.18dmm.com/arp/14.[REMOVED]
- [http://]www.18dd.net/new/system[REMOVED]
The above files are saved to the following location:
%System%\1.exe- %System%\2.exe
- %System%\3.exe
- %System%\4.exe
- %System%\5.exe
- %System%\6.exe
- %System%\7.exe
- %System%\8.exe
- %System%\9.exe
- %System%\10.exe
- %System%\11.exe
- %System%\12.exe
- %System%\13.exe
- %System%\14.exe
- %System%\system22.exe
