Win32/Agent.UDI [Threat Name] go to Threat

Win32/Agent.UDI [Threat Variant Name]

Category trojan,worm
Size 200704 B
Detection created Oct 10, 2012
Detection database version 7567
Aliases Worm.Win32.Juched.evr (Kaspersky)
  Worm:Win32/Ganelp (Microsoft)
  W32.Griptolo (Symantec)
Short description

Win32/Agent.UDI is a worm that spreads via removable media.


Installation

When executed, the worm copies itself into the following location:

  • %programfiles%\­%variable%\­jusched.exe

A string with variable content is used instead of %variable% .


The worm schedules a task that causes the following file to be executed repeatedly:

  • %programfiles%\­%variable%\­jusched.exe

The worm creates the following file:

  • %windir%\­Tasks\­Update23.job

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%programfiles%\­%variable%\­jusched.exe" = "%programfiles%\­%variable%\­jusched.exe:*:Enabled:JavaUpdate23"

The performed command creates an exception in the Windows Firewall.

Spreading on removable media

The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.


The extension of the file is ".exe" .

Other information

The worm tries to download and execute several files from the Internet.


The worm contains a list of (6) URLs. The FTP protocol is used.


The files are saved into the following folder:

  • %temp%

The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.