Home Malware Programs Worms W32.SillyFDC.BCT

W32.SillyFDC.BCT

Posted: August 25, 2009

W32.SillyFDC.BCT is a computer worm that spreads by copying itself to USB removable devices and via file-sharing networks. W32.SillyFDC.BCT may also create its own registry entry so that the worm begins running each time Windows starts up.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %System%\dllcache\cdaudio.sys
    2 %System%\drivers\cdaudio.sys
    3 %SystemDrive%\xs6kpr0.exe
    4 %Temp%\cvasds0.dll
    5 %Temp%\herss.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "181"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"cdoosoft" = "%Temp%\herss.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "1"HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\CLSID\MADOWN\"urlinfo" = "[MM-DD HH:MM:SS]] From:[IP ADDRESS]:http:\\gir88e. [REMOVED] Port 80<\address>\0a\0aSERVER_SOFTWARE=Apache\2.2.0 (Fedora)\0aSERVER_NAME=gir88e"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\"DisplayName" = "AVPsys"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\"ImagePath" = "%System%\drivers\cdaudio.sys"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\"Start" = "3"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\"Type" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security\"Security" = "[BINARY DATA]"
Loading...