<% if Request.querystring("retry") = "member" or Request.cookies("logged") <> "" then %>

        <%= Request.cookies("logged")%> <%else Response.Redirect "../default.asp" end if %>

         
         

 

Virus Name Risk Assessment
W32/Atin.worm Low-Profiled
 
Discovery Date Min DAT
04/02/2008 5222
 
Type SubType
Virus Worm
 
Virus Characteristics
 

This worm has an icon of a folder.

On execution, this worm copies itself into every folder on all drives, with the same name as that of the host folder.
It also copies itself into removable drives.

The worm changes the Window Title of Internet Explorer, by adding the following registry key.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Window Title" = ::::::::NITA_WORM::::::::

 

The worm Changes the Start Page and Search Page by modifying the following registry keys.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = www.N[removed].net
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = www.INI_[removed].com

 

The worm adds the following registry keys to load itself at system startup.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "load" = \New Folder.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load" = \New Folder.exe

 

The worm changes the names and icons of MyComputer and RecycleBin, by modifying values in the following Registry keys

  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

 

The worm disables many features of Explorer, including disabling right click - context menu, by adding the following registry keys.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoClose" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoStartMenuMorePrograms" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewOnDrive" = 1

 

This worm also creates following registry keys, to disable access to certain system tools.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "ansav.exedebugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options "A-VSafeRun.exedebugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe "debugger"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe "debugger" = explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe "debugger" = explorer.exe

 

This worm also adds the following registry entries.

  • HKEY_CLASSES_ROOT\batfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\dllfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\exefile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\htmlfile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_CLASSES_ROOT\inifile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer "ShowDriveLettersFirst" = 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "DisableThumbnailCache" = 1
  • HKEY_CLASSES_ROOT\exefile "InfoTip" = Folder is empty
  • HKEY_CLASSES_ROOT\inffile "FriendlyTypeName" = NITA_WORM ada di sini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProgramFilesDir" = NITA_WORM was here.exe
Symptoms
 
"My Computer" renamed as "Recycle Bin" and having a folder icon.
"Recycle Bin" renamed as "My Computer".
Presence of files with folder icon in all folders with the same name as the host folder.
Certain features of Explorer not working. e.g Right click - context menu not displayed.
Method Of Infection

This worm may come via a spammed email or malicious link, or it may be spread by its intended method of infected removable drives and file sharing.
Removal Instructions

 

Use specified engine and DAT files for detection and removal. This threat will be cleaned if you have this combination.

 
 

 

     1386 Shabakeh Gostar Eng

  

|      كشخصات نیرنس ما    |     مشدار نیرنس جدید     |