Win32/Donked [Threat Name] go to Threat

Win32/Donked.A [Threat Variant Name]

Category worm
Size 167936 B
Detection created Aug 09, 2011
Detection database version 6362
Aliases Trojan.Win32.Agent2.fkqs (Kaspersky)
  W32/Autorun.worm.aada.virus (McAfee)
  Worm:Win32/Donked.A (Microsoft)
Short description

Win32/Donked.A is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • %system%\­winpub.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winpub" = "%system%\­winpub.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­NOHIDDEN]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
Spreading on removable media

The worm copies itself into existing folders of removable drives.


The name of the file may be based on the name of an existing file or folder.

Other information

Win32/Donked.A is a worm which tries to download other malware from the Internet.


The worm contains a list of (2) URLs. It tries to download a file from the addresses.


The file is stored in the following location:

  • %temp%\­jke%variable%.exe

The file is then executed. The HTTP protocol is used.


A string with variable content is used instead of %variable% .


The worm opens the following URLs in Internet Explorer :

  • http://%removed%.com/count.asp

The worm executes the following command:

  • net stop sharedaccess

Please enable Javascript to ensure correct displaying of this content and refresh this page.