Win32.Worm.Antinny.BJ

( Worm.Win32.Antinny.aw, Win32/Antinny.AK!Worm, WORM_ANTINNY.BJ, W32/Antinny.worm.ab, W32/Antinny.BP )

SYMPTOMS:

Existence of %WINDOWS%\UP\ folder
Existence of a zip file in %WINDOWS%\UP\ folder
Existence of C:\ÄEÉl.scr
Win.ini modified (see technical description for more)
 

TECHNICAL DESCRIPTION:

This virus arrives via Winny peer-to-peer application or file-sharing networks that use Share.exe
If the user is tricked into executing the scr file, the virus will do:

1. Display a fake message in Japanese.

2. Creates and runs a copy of itself as:

C:\ÄEÉl.scr (C:\(japanese text).scr)

3. Creates and deletes file FILE.BAT that attempts to delete itself and the virus copy created previously. However, deletion of C:\ÄEÉl.scr will not work, while FILE.BAT will be deleted.

4. Modifies WIN.INI file with an infection marker

[ÄEÉl]
ÄEê╙=1

5. Creates a folder UP in %WINDOWS% folder:

%WINDOWS%\UP\

This folder will be shared in Winny and Share application. A zip file containing a copy of the worm and some documents will be created here.

6. Searches for Winny and Share application folders.

7. If Winny application is installed, the virus modifies the configuration file UpFolder.txt for Winny file-sharing application:

[BBS]
Path=%WINDOWS%\Up\
Trip=(date_of_infection)-(time_of_infection)

8. If Share application is installed, the virus modifies the configuration file Folder.ini for the Share application:

[UpFolder1]
Path=%WINDOWS%\Up\

9. Searches for files matching:

.doc
.xls
.mdb
.ppt
.dbx
.eml

10. Spreading and information theft:
Creates a zip file in shared %WINDOWS%\UP\ folder:

%WINDOWS%\UP\[ÄEÉl] user_name(date_of_infection-time_of_infection)(random japanese characters).zip

that contains a copy of the worm (random japanese characters).scr

and also files found at step 9 (information theft)
 

Removal instructions:

Please let BitDefender disinfect your files.
 

ANALYZED BY:

Patrik Vicol ,virus researcher