Win32/Small.AG [Threat Name] go to Threat

Win32/Small.AG [Threat Variant Name]

Category worm
Size 26309 B
Detection created Aug 01, 2005
Detection database version 3189
Aliases Worm.Win32.Small.ag (Kaspersky)
  W32/Autorun.worm.bc (McAfee)
  Trojan.Horse (Symantec)
Short description

Win32/Small.AG is a worm that spreads by copying itself into the root folders of available drives.

Installation

When executed the worm copies itself in the following locations:

  • %system%\­mexica.exe
  • %windir%\­system234.exe
  • %windir%\­temp\­mexica.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "systray" = "%windir%\­system234.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "run" = "%windir%\­temp\­mexica.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "%system%\­mexica.exe"
  • [HKEY_USERS\­%userprofile%\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "run" = "%windir%\­temp\­mexica.exe"

The worm displays a fake error message:

Spreading

The worm copies itself into the root folders of the A:\ - G:\ drives using the following name:

  • imagenes.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.