Win32.Worm.Zindos.A( Worm.Win32.Zindos.a; Win32/Zindos.A.Trojan )
SYMPTOMS:
TECHNICAL DESCRIPTION: When ran, the worm creates the registry key:HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with the value: \"Tray\" = [worm exe file] The worm uses the Backdoor.Mydoom.M to spread on port 1034. It sends itself to random IP addresses 10 times per second. The backdoor in the victim computer saves the worm in the temporary folder then executes it. After 3 minutes the worm starts an attack to www.microsoft.com by repeatedly starting a thread that reads the site\'s start page and deleting the downloaded file 20 times per second. The repeat interval starts with 1 second and increases with 250 milliseconds every time. So after 5 only minutes, about 260 thousands of read attempts are made. The worm file is usually found in the windows temporary folder, which may be one of the following: and has a random file name and an EXE extension. Removal instructions: Let BitDefender delete files found infected by this worm.ANALYZED BY: Mihai NeaguBitDefender Virus Researcher |