Win32/Tenavt [Threat Name] go to Threat

Win32/Tenavt.A [Threat Variant Name]

Category worm
Size 29184 B
Detection created Apr 20, 2012
Detection database version 10362
Aliases Trojan.Win32.Zapchast.acbt (Kaspersky)
  Trojan:Win32/Netvat.E!Dll (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/Tenavt.A is a worm that spreads via removable media.

Installation

When executed the worm copies itself in the following locations:

  • %programfiles%\­360dv.exe
  • %programfiles%\­syslass.cpl

The worm creates the following file:

  • %systemroot%\­system32\­svcnet32.dll (13312 B, Win32/Tenavt.A)

The worm registers file as a system service.


This causes the worm to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurentVersion\­Svchost]
    • "Avt-Net" = "Avt-Net"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Avt-Net]
    • "Description" = "Retrieves the serial number of any portable Sound player connected to this computer. If this service is stopped, any services that explicitly depend on it will fail to start."
    • "DisplayName" = "Portable Sound Serial Number Services"
    • "ErrorControl" = 1
    • "Group" = "Com Infrastructure"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 16
    • "FailureAction" = %binaryvalue%
    • "ImagePath" = "%systemroot%\­system32\­svchost -k Avt-Net"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­Avt-Net\­Parameters]
    • "ServiceDll" = "%systemroot%\­system32\­svcnet32.dll"
  • [HKEY_CLASSES_ROOT\­exefile]
    • "NeverShowExt" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 1

The worm enables following services:

  • Avt-Net
Spreading on removable media

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm can download and execute a file from the Internet.


The worm contains a list of (2) URLs. The HTTP protocol is used.


The worm keeps various information in the following files:

  • %programfiles%\­Common Files\­Plugins\­index.txt

The worm attempts to delete the following file:

  • %programfiles%\­360dv.exe

The worm may execute the following commands:

  • %system%\­cmd.exe /c del %originalmalwarefilepath% > nul

Please enable Javascript to ensure correct displaying of this content and refresh this page.