Hi hamidr86,
Here are the virus's characteristics:
Overview -
Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
Characteristics
Characteristics -
Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.
Upon execution, it runs silently, no gui messages appear on the screen.
It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SoundMax"
Data: C:\Program Files\Sound Utility\Soundmax.exe
Besides that it might change the registry with
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "Nofolderoptions"
Data: 01, 00, 00, 00
The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as "Sex_ScreenSaver.scr" and/or "Sex_Game.exe".
There's no exploit associated with it, infection starts with manual execution of the worm.
* c:\autoply.exe (size: 139.264 bytes)
* c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
* c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
* c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
* c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)
Besides these it might try to drop/create:
# c:\Autorun.inf (size: 301 bytes)
# A file called "important.htm" on the desktop, titled Salam - Doste - Man.
Symptoms
Symptoms -
* Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
* Presence of the mentioned registry modifications
* It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
* It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.
Method of Infection
Method of Infection -
* The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
* There's no exploit associated with it, infection starts with manual execution of the worm.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher
pol