Inker

Posted: March 28, 2006

Inker is a specific sript worm written in Visual Basic Script applicationming language. It spreads in the Internet, usually through IRC chat networks using mIRC application or by e-mail in letters with infected attachments.

File System Modifications

The following files were created in the system:

# File Name

1 ip.bat

2 ipnuker.vbs

3 ipuser.bat

4 ipusercreate.bat

#	File Name
1	ip.bat
2	ipnuker.vbs
3	ipuser.bat
4	ipusercreate.bat

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOTShellShellExploreCommand(Default)=C:Windowsipnuker.vbsHKEY_CLASSES_ROOTThemefileShellOpenCommand(Default)=%System%wscript.exeHKEY_CLASSES_ROOTUnknownShellOpenasCommand(Default)=%System%wscript.exeHKEY_CLASSES_ROOTVBSFileEditCommand(Default)=%System%wscript.exeHKEY_CLASSES_ROOTVBSFileShellCommand(Default)=%System%wscript.exeHKEY_CLASSES_ROOTxtfileShellOpenCommand(Default)=%System%wscript.exeHKEY_CLASSES_ROOTxtfileShellPrintCommand(Default)=%System%wscript.exeHKEY_CLASSES_ROOTxtfileShellPrinttoCommand(Default)=%System%wscript.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop=1HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMainStart_Page=%Windir%ipnuker.vbsHKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMainStart_Page=[siteaddress]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRegisteredOwner=IpnukerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRegisteredOwner=Ipnuker.netHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunDisableKeyboard=rundll32.exekeyboardHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunDisableMouse=rundll32.exemouseHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunwindosxpdisable

Inker

File System Modifications

Registry Modifications

Related Posts

Leave a Reply