Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Win32.Fason Viruses Information

Name: I-Worm.Win32.Fason
Category: Viruses
Description: Details
I-Worm.Win32.Fasong
Fasong is a worm virus spreading via local area networks. The worm itself is a Windows PE EXE file about 170KB in length and is written in Delphi. The worm has a trojan routine (see below).
Installing
While installing the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names, for example:
GMLKU.EXE
TKXMLIB.EXE
LUFV.EXE

The worm registers these files in the system registry auto-run key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
%rndname%.EXE = %rndname%.EXE

for example:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
GMLKU.EXE = C:UTILGMLKU.EXE

There are also other auto-run keys affected by this worm, it writes references to its different copies to following keys:
HKCRchm.fileshellopencommand (default value = "hh.exe" %1)
HKCRexefileshellopencommand (default value = "%1 %*")
HKCRinifileshellopencommand (default value = "notepad.exe %1")
HKCRregfileshellopencommand (default value = "regedit.exe %1")
HKCRscrfileshellopencommand (default value = "%1 /S")
HKCRtxtfileshellopencommand (default value = "notepad.exe %1")

Spreading
The worm copies itself to all local drives with randomly selected EXE names. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.
Trojan Routine
The trojan routine gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master.
Other
The Fasong worm creates following registry key entry where it stores its internal data:
HKLMSoftwareMicrosoftWindowsCurrentVersionwin70

Fasong tries to detect and terminate the active functioning of several anti-virus programs and firewalls.
Fasong looks for the Msread.dt file and reads its internal settings from that file. The settings are text strings such as:
workfile
mima_wenjian
fasong_youxiang
yonghu_ming
youxiang_mima
fasong_zhuti
fanggai_mima
smtp_fuwuqi
auto_share



Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Trojan.Win32.Cok
Advent.276
Macro.Word97.Techn
Tibet.142
Win32.Mudant.88
I-Worm.Davini
Quit.555.
Palma Famil
I-Worm.Chet.
Andry.290


 

© 2006-2008 spyware32.com - Privacy Policy