« previous next »
Pages: [1]   Go Down

Author Topic: W32/Bindo.worm  (Read 2342 times)

0 Members and 1 Guest are viewing this topic.

hamidr86

  • Guest
W32/Bindo.worm
« on: November 06, 2007, 08:11:41 PM »
Hi friends.
Avast does not recognize the W32/Bindo.worm  :'(
How can I get rid of this worm ?

MCAfee seems to recongnize this worm. check http://vil.nai.com/vil/content/v_143482.htm

Regards.
James.
Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: W32/Bindo.worm
« Reply #1 on: November 06, 2007, 10:32:12 PM »
Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
Logged
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33913
  • malware fighter
Re: W32/Bindo.worm
« Reply #2 on: November 06, 2007, 10:36:54 PM »
Hi hamidr86,

Here are the virus's characteristics:
Overview -

Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
Characteristics
Characteristics -

Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.

The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.

Upon execution, it runs silently, no gui messages appear on the screen.

It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:

    *  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SoundMax"
        Data: C:\Program Files\Sound Utility\Soundmax.exe

Besides that it might change the registry with

    *  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "Nofolderoptions"
        Data: 01, 00, 00, 00

The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as "Sex_ScreenSaver.scr" and/or "Sex_Game.exe".

There's no exploit associated with it, infection starts with manual execution of the worm.

    * c:\autoply.exe (size: 139.264 bytes)
    *  c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
    *  c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
    *  c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
    *  c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)

Besides these it might try to drop/create:
#  c:\Autorun.inf (size: 301 bytes)
# A file called "important.htm" on the desktop, titled Salam - Doste - Man.

 

 
Symptoms
Symptoms -

    * Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
    * Presence of the mentioned registry modifications
    * It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
    * It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.

 

 
Method of Infection
Method of Infection -

    * The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
    * There's no exploit associated with it, infection starts with manual execution of the worm.

 
Removal -
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher

pol
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »