MSIL/Antinny [Threat Name] go to Threat

MSIL/Antinny.A [Threat Variant Name]

Category worm
Size 192512 B
Detection created Aug 10, 2005
Detection database version 0.11191
Aliases Worm.MSIL.Antinny.a (Kaspersky)
  Worm:Win32/Antinny.BC (Microsoft)
  W32.Antinny.K (Symantec)
Short description

MSIL/Antinny.A is a worm that is spread via peer-to-peer networks.

Installation

When executed the worm copies itself in the following locations:

  • %system%\­..\­taskmgr.exe
  • %system%\­config\­IEXPLORE.EXE

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "taskmgr" = "%system%\­..\­taskmgr.exe -kira"
    • "IEXPLORE" = "%system%\­config\­IEXPLORE.EXE -ryuk"
Spreading via P2P networks

MSIL/Antinny.A may be spread via peer-to-peer networks.


The worm affects the behavior of the following applications:

  • Winny

The worm searches for files which contain any of the following strings in their file name:

  • winny.exe

It may also make changes to the following file in the same folder:

  • UpFolder.txt

The worm searches for files with the following file extensions:

  • DSC*.jpg

The worm creates copies of the following files (source, destination):

  • DSC*.jpg, %system%\­2124\­%driveletter%\­%variable1%.jpg

The worm copies itself to the following location:

  • %system%\­2124\­%driveletter%\­メール%spaces%.exe

Files are then compressed into ZIP archive and stored in the following location:

  • %system%\­1035\­[一般コミック][小畑健×%username%] DEATH NOTE -デスノート- 第%variable2%巻.zip

A variable numerical value is used instead of %variable1-2% .

Information stealing

MSIL/Antinny.A is a worm that steals sensitive information.


The worm collects the following information:

  • screenshots

The files are saved into the following folder:

  • %system%\­1035

This folder is a shared folder used by various instant messaging and P2P applications.

Please enable Javascript to ensure correct displaying of this content and refresh this page.