| Name |
%SysDir%\NvCpl.EXE |
Description
|
Worm W32.Yanz.B@mm
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds to Windows startup.
It masks to NVIDIA control panel application NvCpl.exe.
2. Creates the files
%System%\Dong_Shi.exe
%System%\NvCpl.EXE
C:\Yanzi.htm
%Windir%\Sun_YanZI.zip (a zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\Huai_Tian_Q1.sys ( an MIME-encoded zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\I_am_Sun_Yanzi.sys. (an MIME-encoded worm)
YanZi.vbs. (this file is created in the current folder and it creates the file sun.exe)
When the file sun.exe runs, it creates three .jpg files under %Temp% folder. The file names have "SuN" as prefix.
One of these files is a Trojan that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) to download and execute a file named m00.exe, from the domain sunyanzi.fastmail.cn. This file is also a Trojan. |
|
Home
