MSIL/Antinny [Threat Name] go to Threat
MSIL/Antinny.A [Threat Variant Name]
Category | worm |
Size | 192512 B |
Aliases | Worm.MSIL.Antinny.a (Kaspersky) |
Worm:Win32/Antinny.BC (Microsoft) | |
W32.Antinny.K (Symantec) |
Short description
MSIL/Antinny.A is a worm that is spread via peer-to-peer networks.
Installation
When executed the worm copies itself in the following locations:
- %system%\..\taskmgr.exe
- %system%\config\IEXPLORE.EXE
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "taskmgr" = "%system%\..\taskmgr.exe -kira"
- "IEXPLORE" = "%system%\config\IEXPLORE.EXE -ryuk"
Spreading via P2P networks
MSIL/Antinny.A may be spread via peer-to-peer networks.
The worm affects the behavior of the following applications:
- Winny
The worm searches for files which contain any of the following strings in their file name:
- winny.exe
It may also make changes to the following file in the same folder:
- UpFolder.txt
The worm searches for files with the following file extensions:
- DSC*.jpg
The worm creates copies of the following files (source, destination):
- DSC*.jpg, %system%\2124\%driveletter%\%variable1%.jpg
The worm copies itself to the following location:
- %system%\2124\%driveletter%\メール%spaces%.exe
Files are then compressed into ZIP archive and stored in the following location:
- %system%\1035\[一般コミック][小畑健×%username%] DEATH NOTE -デスノート- 第%variable2%巻.zip
A variable numerical value is used instead of %variable1-2% .
Information stealing
MSIL/Antinny.A is a worm that steals sensitive information.
The worm collects the following information:
- screenshots
The files are saved into the following folder:
- %system%\1035
This folder is a shared folder used by various instant messaging and P2P applications.