Home Malware Programs Worms Inker.B

Inker.B

Posted: March 28, 2006

Inker.B is a specific script worm with a rich set of malicious functions. The threat written in Visual Basic Script language is an extremely dangerous variant of the similar Inker worm. It spreads in the Internet through IRC chats, by e-mail and via file sharing networks.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 createuser.vbs
    2 hotmailpasswordfinder.vbs
    3 iecrash.html
    4 iexploit.html
    5 ipnuker.vbs
    6 script.ini

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOTatfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTmpfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTmpfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTFolderShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTHTTPShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTcomfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTexefileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTexefileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOThtmlfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOThtmlfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOThttpsShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTinffileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTinffileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTinifileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTinifileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTjpegfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTjpegfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTjpgfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTjpgfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTmp3fileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTmp3fileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTmpegfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTmpgfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTmpgfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTvbsfileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTwmafileDefaultIcon=shell32.dllHKEY_CLASSES_ROOTwmafileShellOpencommand=%Windir%ipnuker.vbsHKEY_CLASSES_ROOTxtfileShellOpencommand=%Windir%ipnuker.vbsHKEY_CURRENT_USERSoftwareMicrosoftCurrentVersionPoliciesSystemDisableTaskMgr=1HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainStartPage=%Windir%iecrash.htmlHKEY_CURRENT_USERSoftwareMicrosoftSecurityCenterAntivirusDisableNotify=1HKEY_CURRENT_USERSoftwareMicrosoftSecurityCenterFirewallDisableNotify=1HKEY_CURRENT_USERSoftwareMicrosoftSecurityCenterUpdatesDisableNotify=1HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun1=cmd.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun2=wuauclt.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun3=sndrec32.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun4=sndvol32.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun5=wmplayer.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun6=acrord32.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun7=mspaint.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun8=rstrui.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun9=aupdate.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop=1HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsFirewallDomainProfileEnableFirewall=0HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsFirewallStandardProfileEnableFirewall=0HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerMainStartPage=%Windir%iecrash.htmlHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityCenterAntivirusDisableNotify=1HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityCenterFirewallDisableNotify=1HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityCenterUpdatesDisableNotify=1HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRegisteredOwner=ipnukerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRuniexploitHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunipnukerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileEnableFirewall=0HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileEnableFirewall=0HKEY_LOCAL_MACHINESOFTWARESymantecNortonAntivirusQuarantineQuarantinePath=windirHkEY_CLASSES_ROOTFolderShellExplorecommand=%Windir%ipnuker.vbs
Loading...