New worm use the .ani zero day vulnerability
A good news about .ani vulnerability
We think the author of .ani worm we reported yesterday has realized it will be very serious if his or her worm infects lots of Chinese computers. Maybe he(or she) doesn't want to be arrested like Li Jun, the author of Worm.Win32.Fujacks.
In the latest version of this .ani worm, he(or she) has removed the function of infecting .HTML .ASPX .HTM .PHP .JSP .ASP files, and inserting the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into these files. He(or she) also leaves a message that he(or she) doesn't want to destroy any computers, destroy any documents, infect system files in the worm body.
The message:
(Rui Xing is Rising, a Chinese AV vendor.)
Upon execution, it drops the following file:
Adds the following entry into registry:
Last modified by smallmo onApril 1, 2007 19:06
In the latest version of this .ani worm, he(or she) has removed the function of infecting .HTML .ASPX .HTM .PHP .JSP .ASP files, and inserting the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into these files. He(or she) also leaves a message that he(or she) doesn't want to destroy any computers, destroy any documents, infect system files in the worm body.
The message:
Hello Rui Xing an kapersky! I don't want to destroy any computers,I don't destroy any documents,I don't infect system files.Don't Kill me!! xV4
(Rui Xing is Rising, a Chinese AV vendor.)
Upon execution, it drops the following file:
%SYSTEM%\sysbmw.exe
Adds the following entry into registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"System Boot Check"="%SYSTEM%\sysbmw.exe
"System Boot Check"="%SYSTEM%\sysbmw.exe
Last modified by smallmo onApril 1, 2007 19:06
ticticta Says :
April 8, 2007 23:32
hah, very funny.
kvirus Says :
April 2, 2007 00:32
Still not believing.
Pages: 1/1 
1 
1
