New NEWFOLDER.EXE (part1) January 10, 2009Posted by reversengineering in RCE vs BadWares.
today somebody give me an usb mobile disk and tell me check it for virus and etc….i check it by NOD32(3750) and nothing ,everything seems fine !! but when i see closer to files i find new badware( worm or virus…. !)
summary of this file and my observation without any tools but i have 2 windows :
size :386 kb
other name of this file : solary.exe , p.exe
waht happend if we execute it:
1-it generates itself by names that likes to all folder/subfolder on ur hard drive for example u have windows folder or system 32 ; u will have windows.exe ,system32.exe …
if u have 100 folders and subfolders u will have 100 foldername.exe and subfoldername .exe
2-it delets ur task mananger and all IMPORTANT CONTOROL PANEL
3-and replace notepad.exe to D:\WINDOWS\regedit.exe and delete it.
4-also disable all in ur registry:)
5-remove RUN and SEARCH bar from start menu .
6-and creates AUTORUN.INF to all root of ur harddrive and etc.
…everything is clear for cleaning
for deleted files u have to copy them in right place
i hope u never see this
Downadup worm January 9, 2009Posted by reversengineering in RCE vs BadWares.
1 comment so far
Name : Worm:W32/Downadup.AL Detection
Names : Worm:W32/Downadup.AL Net-Worm.Win32.Kido Aliases : Worm:Win32/Conficker (Microsoft) Mal/Conficker (Sophos) W32/Conficker.worm.gen (Symantec)
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
for more info :
Also about AUTORUN.inf, this worm build it on USB drive :