| Malware name | Worm.Autorun.nuz | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 46FF11A91321BAA6FA1D2115A30A09E5 | | Static file | no | | Filesize | 43,520 Bytes | Alias names
(also known as) | | Sophos | Mal/EncPk-EQ | | McAfee | Generic FakeAlert.d | | CA ETrust | Win32/FakeAlert!generic |
| | Side effects | - Drops malicious files
- Registry modification
| | Propagation | No own spreading routine |
|
Description:
Files
The following files are created:
– %SYSDIR%\brastk.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm.Autorun.nuz
– %SYSDIR%\dllcache\figaro.sys Further investigation pointed out that this file is malware, too. Detected as:
2356 – %SYSDIR%\dllcache\beep.sys Further investigation pointed out that this file is malware, too. Detected as:
2356 – %SYSDIR%\drivers\beep.sys Further investigation pointed out that this file is malware, too. Detected as:
2356 – %WINDIR%\delself.bat This batch file is used to delete a file.
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• brastk="%SYSDIR%\brastk.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• brastk="%SYSDIR%\brastk.exe"
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
