English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsWorm.Win32.Soriw

Worm.Win32.Soriw

Detected Jul 05 2004 12:17 GMT
Released Jul 05 2004 12:17 GMT

This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.

Summary


Technical details

File size of 235779 bytes.


Installation

Makes copies of itself with the following names once launched:

  • Windows directory (usually, C:\Windows)%Windir%\system\Services.exe

Creates the following files on an infected computer:

  • Windows system directory (usually, C:\Windows\System32) %System%\Temp\D2J0D2NEOIDJFEM7.PT2


Malicious activity

Checks for Dial-Up connections on the infected computer

Creates unique identifiers to flag its presence in the system

  • MAIN SERVICES

Uses the masks shown below to search for files on the victim machine:

  • *.*


Other activities

Runs the following files (commands):

  • netstat -a
  • nbtstat -s
  • tasklist
  • schtasks
  • systeminfo
  • Windows directory (usually, C:\Windows)%Windir%\system\Services.exe

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters ] "TrapPollTimeMilliSecs" = "0x3A98"

Deletes the following files on an infected computer:

  • Windows directory (usually, C:\Windows)%Windir%\Temp\B2EDEFBEP2H7TW8L.V7F
  • Windows directory (usually, C:\Windows)%Windir%\Temp\SN1H9AXYQP1W67DL.AGN
  • Windows directory (usually, C:\Windows)%Windir%\Temp\KT063Y8L7EBQE4YW.N16
  • Windows directory (usually, C:\Windows)%Windir%\Temp\7645JKKHT504S99R.1WT
  • Windows directory (usually, C:\Windows)%Windir%\Temp\AWGIJDBNDGD8G87Y.IFD



Print
Bookmark and Share
Share
Viruses and worms
Worm

Worms spread on computer networks via network resources. Unlike Net-Worms, a user must launch a Worm in order for it to be activated.

This kind of worm searches remote computer networks and copies itself to directories that are read/write accessible (if it finds any). Furthermore, these worms either use built-in operating system functions to search for accessible network directories and/or they randomly search for computers on the Internet, connect to them, and attempt to gain full access to the disks of these computers.

This category also covers those worms which, for one reason or another, do not fit into any of the other categories defined above (e.g. worms for mobile devices).


Aliases

Worm.Win32.Soriw (Kaspersky Lab) is also known as:

  • Virus: W32/Soriw.worm (McAfee)
  • Troj/Sory-A (Sophos)
  • Worm.Sory (ClamAV)
  • W32/Soriw.A.worm (Panda)
  • W32/Sory.A (FPROT)
  • Worm:Win32/Soriw.A (MS(OneCare))
  • Win32.HLLW.Soriw (DrWeb)
  • Win32/Soriw.A worm (Nod32)
  • Worm.Soriw.A (BitDef7)
  • Worm.Soriw.A (VirusBuster)
  • Win32:Soriw@PECO [Wrm] (AVAST)
  • Trojan-Downloader.Win32.Dadobra (Ikarus)
  • Worm/Soriw.A (AVG)
  • TR/ATRAPS.Gen (AVIRA)
  • W32.Sory.A (NAV)
  • W32/Soriw.C (Norman)
  • W32/Soriw.worm (NAI)
  • WORM_SURIW.A (PCCIL)
  • Worm.Soriw (Rising)
  • Worm.Win32.Soriw [AVP] (FSecure)
  • Worm.Soriw.A (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search