New NEWFOLDER.EXE (part1) January 10, 2009
Posted by reversengineering in RCE vs BadWares.2 comments
hi
today somebody give me an usb mobile disk and tell me check it for virus and etc….i check it by NOD32(3750) and nothing ,everything seems fine !! but when i see closer to files i find new badware( worm or virus…. !)
summary of this file and my observation without any tools but i have 2 windows 
:
size :386 kb
other name of this file : solary.exe , p.exe
waht happend if we execute it:
1-it generates itself by names that likes to all folder/subfolder on ur hard drive for example u have windows folder or system 32 ; u will have windows.exe ,system32.exe …
if u have 100 folders and subfolders u will have 100 foldername.exe and subfoldername .exe 
2-it delets ur task mananger and all IMPORTANT CONTOROL PANEL
LIKE:
D:\WINDOWS\system32\sysdm.cpl
D:\WINDOWS\system32\wscui.cpl
D:\WINDOWS\system32\appwiz.cpl
D:\WINDOWS\system32\inetcpl.cpl
msconfig
&…
3-and replace notepad.exe to D:\WINDOWS\regedit.exe and delete it.
4-also disable all in ur registry:)
5-remove RUN and SEARCH bar from start menu .
6-and creates AUTORUN.INF to all root of ur harddrive and etc.
…everything is clear for cleaning
for deleted files u have to copy them in right place
i hope u never see this
Downadup worm January 9, 2009
Posted by reversengineering in RCE vs BadWares.1 comment so far
Name : Worm:W32/Downadup.AL Detection
Names : Worm:W32/Downadup.AL Net-Worm.Win32.Kido Aliases : Worm:Win32/Conficker (Microsoft) Mal/Conficker (Sophos) W32/Conficker.worm.gen (Symantec)
Type: Worm
Category: Malware
Platform: W32
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
for more info :
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Also about AUTORUN.inf, this worm build it on USB drive :
