W32.Minudazash
W32.Minudazash is a computer worm that propagates by duplicating itself to a mapped network drives and USB removable drives. The worm utilizes autorun functionality to run itself whenever the drive is accessed. W32.Minudazash can steal sensitive information and allow a remote attacker to gain control of the computer using a backdoor port.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Characteristics
- This worm can change wallpaper settings on the infected computer.
- Unauthorized attacker can control the PC using a Remote Desktop application.
- It can disable keyboard functions.
- W32.Minudazash can record keystrokes and sound from the microphone of affected system.
- The worm can steal information such as lists of installed programs and Yahoo login accounts. Data is sent to a remote server of a specified time.
Distribution
The worm will spread by creating a copy of itself to all network drives and removable devices using the file: %DriveLetter%\cbclient.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systemntfy” = “%System%\systemntfy.exe” HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared Access\Parameters\FirewallPolicy\StandardProfile\Authorized Applications\List\”%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe” = “%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe:*:Enabled:System”Associated Files and Folders:
%System%\systemntfy.exe %SystemDrive%\cbclient.exe %System%\ftplog.dll %DriveLetter%\cbclient.exe %DriveLetter%\autorun.inf %SystemDrive%\autorun.inf