Re: Trojan Found In New HDs Sold In Taiwan

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

Probably the deleting of .mp3's is the major payload and uploading is related to targeted variants only.

- Juha-Matti

Dude VanWinkle <dudevanwinkle () gmail com> kirjoitti: 
> On 11/14/07, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:
> > Dude VanWinkle <dudevanwinkle () gmail com> kirjoitti:
> > > On 11/13/07, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:
> > > > The description of this malware (Kaspersky's writeup):
> > > >
> > > > Virus.Win32.AutoRun.ah
> > > > http://www.viruslist.com/en/viruses/encyclopedia?virusid=160221
> > > >
> > > > The payload is not so bad in corporate environment...
> > >
> > > The virus modifies values of the following system registry keys:
> > >
> > > [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
> > > DisableTaskMgr = 1
> > > [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
> > > NoFolderOptions = 1
> > >
> > > It also searches the hard disk partitions <snip> for files with an
> > > ".mp3" extension:
> > > <snip>
> > > These files wil then be deleted.
> >
> > Thanks for provifing the summary to readers not visit the Viruslist.com URL.
>
> err sure, anytime..
>
> >
> > Additionally, Trend has listed several malware names too, e.g.
>
> I was just wondering why the articles said: This virus -->uploads
> all<-- your files to X, and the one you posted said it -->deleted<--
> all your -->mp3<-- files. I could have just mis-clicked on a url
> again..
>
> -JP

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.