How Virus Worm "ALABAMA" Work ??

Alabama. Initially we thought this was just a worm the same as VB-Shortcut because it uses a standard icon Visual Basic applications. But as we try to do further analysis, it seems characteristic of this worm is different from VB-Shortcut. There is a string "Alabama" contained in the body of the worm ViewFiles. Does this indicate the worm came from Alabama?

Malware Info
Name: ViewFiles Origin: probably from Alabama File Size: 168 KB (172.032 bytes) Packer: - Programming: Visual Basic Icon: Visual Basic Applications Type: Worm
About Malware
In addition to being busy shortcut created by several recent worms, Visual Basic application icon is also one feature of the worm that started a lot since August 2010 reported yesterday. Likewise, if the maker made ViewFiles worm. His name was taken from a parent who spread the flash disk and named ViewFiles.exe.
Files created
At the infected computer, worm ViewFiles will make autorun file and companion files in flash disk which will be called by autorun.

The contents of the autorun will always change like the example below, it is in intended to outwit detection by antivirus but some important parts has not been changed by this worm.

Results Infection

Worm ViewFiles will hide in the RECYCLER folder and create a folder that is almost the same as the contents of the folder RECYCLER like the picture below.

To be able to run at startup, this worm makes a key with the name Taksman at:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Taskman

 
Diposkan oleh Harry
Label:
 
© 2011 Kodok Bule | Except as noted, this content is licensed under Creative Commons Attribution 2.5.
For details and restrictions, see the Content License | Recode by Mr.Kodok Bule | Based on Android Developers Blog