Virus Profile: Generic.dx!cuo

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/11/2009
Date Added: 8/11/2009
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 5706
Removal Instructions
   
 
 
   

Description

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Aliases
  • Microsoft    -    Worm:Win32/Hamweq.A
  • Symantec    -    W32.SillyDC
  • Trend Micro    -    WORM_VERST.SM
  • F-prot        -    W32/Worm.APCA
  • Kaspersky    -    Worm.Win32.Agent.wm

Indication of Infection

Presence of above mentioned files and registry activities.

Methods of Infection

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
   

Virus Characteristics


Generic.dx!cuo” is a worm that spreads by copying itself to system and removable drives.

Upon execution the worm tries to connect the below URL and IP Address in order to download the other payloads

  •  67.210.[Removed].142
  •  dci.si[Removed].es
  •  din[Removed].cdmon.net
Upon execution worm inject the code in explorer.exe and copies itself in the below location

  • %Systemdrive%:\ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe"
  •  :[RemovableDrive]\ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe
  •  :[RemovableDrive]\ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\Desktop.ini
  • : [RemovableDrive]\autorun.inf [Detected as Generic!atr]

And the Wrom drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.


[autorun]
OPeN=ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe
IcON=%wIndIr%\sYstEm32\ShElL32.DlL,7
ACtION=Open USB
sHeLl\OpEN=oPEn
sHeLl\OpEN\cOMMaND=ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe
sHeLl\OpEN\deFaULt=1

The following registry values have been added to the system.


HKey_Local_Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\{Class ID}\StubPath: "%Systemdrive%:\ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe"

The above mentioned registry ensures that the Trojan registers run entry with the compromised system and execute itself upon every boot.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95