Worm/Otwycal.g - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Otwycal.g
Date discovered:	24/04/2008
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	No
File size:	~9.300 Bytes
IVDF version:	7.00.03.206 - Thu, 24 Apr 2008 12:51 (GMT+1)

General Method of propagation:
   • Mapped network drives

Aliases:
   • Kaspersky: Worm.Win32.AutoRun.doc
   • F-Secure: Worm.Win32.AutoRun.doc
   • Grisoft: Worm/Generic.IEO
   • Eset: Win32/AutoRun.NC

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Steals information
   • Third party control

Files It copies itself to the following locations:
   • %WINDIR%\windows.ext
   • %drive%:\MSDOS.bat

A section is added to a file.
– To: %SYSDIR%\spoolsv.exe With the following contents:
   • %executed file%

This makes the mentioned file run after reboot.

It deletes the initially executed copy of itself.

The following files are created:

– %drive%:\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

Backdoor Contact server:
The following:
• http://444.er18.com/**********

As a result it may send information and remote control could be provided. The servers answer is written to the file: %SYSDIR%\config.txt

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• Upack

See a brief description here.

Description inserted by Andrei Gherman on Wed, 06 Aug 2008 11:36 (GMT+1)
Description updated by Andrei Gherman on Wed, 06 Aug 2008 11:48 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back