W32/Dinoxi.A
Threat risk
|
Detection files published:
2 march 2006 |
Description created:
2006-03-07 |
Description updated:
2006-03-07 |
|
Alias:
IM-Worm.Win32.Vizim.a (Kaspersky), |
Spreading mechanism
Network | |
|
Payload:
Deletes and disables system files | ||
Summary
W32/Dinoxi.A is a AOL-messenger worm written i Visual Basic. File size is 266 240 bytes.
Spreading description
The worm spreads by attaching itself to messages sent to contacts on the AOL-Messenger Buddylist on the infected machine.
It will show a link in the messenger window of the contacted person:
"Cool hacking programs!"
or
"Funniest clip ever!"
Both these links to a website where you can download the worm as the file "a.exe".
File changes on the infected machine:
Creates the file "C:\DOCUMENTS AND SETTINGS\%username%\LOCAL SETTINGS\Temp\%random%.tmp" 16 384 bytes in size.
Copies itself to "c:\CodeBlack.exe"
Copies itself to "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CodeBlack.exe"
Copies itself to "C:\WINDOWS\system32\CodeBlack.exe"
It also overwrites random files on the hard-drive with itself.
Deletes the file "C:\WINDOWS\system32\Restore\rstrui.exe" System Restore
Deletes the file "C:\WINDOWS\system32\taskmgr.exe" Task Manager
Deletes the file "C:\WINDOWS\system32\cmd.exe" Dos Command Prompt
Deletes the file "C:\WINDOWS\system32\dllcache\msconfig.exe"
Deletes the file "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
Changes to registry:
Sets value "0100" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun"
which unables the user to turn of the computer
Sets value "0100" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose"
which unables the user to restart the computer
Sets value "0100" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff"
which unables the user to log off the computer
Sets value "a website" in key "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"
To make that website the start page of Internet Explorer and ensure that the user downloads the file a.exe.
Sets Value "a href="website"
in key "HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\IAmGoneList\GoneMsg0001"
which is displayed as a link in the AOL Messenger user window.
Sets Value "website"
For example: "Funniest Clip Ever!" - When clicked it downloads the file a.exe from a website
Sets value "0x1" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr"
which unables the user to open Task Manager -
when you try to open Task Manager a message saying: Task Manager has been disabled by your system administrator.
Sets value "0x1" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
which unables the user to use regedit
Threat description
Deletes the file "C:\WINDOWS\system32\Restore\rstrui.exe" System RestoreDeletes the file "C:\WINDOWS\system32\taskmgr.exe" Task Manager
Deletes the file "C:\WINDOWS\system32\cmd.exe" Dos Command Prompt
Deletes the file "C:\WINDOWS\system32\dllcache\msconfig.exe"
Deletes the file "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
Opens port 32770 on the infected machine, which can be used as a backdoor.
It changes keys in the registry which unables the user to turn off or restart the machine without doing so by directly switching of the power-button.
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
