Win32/Anilogo [Threat Name] go to Threat

Win32/Anilogo.F [Threat Variant Name]

Category worm
Size 28000 B
Aliases Worm.Win32.Anilogo.f (Kaspersky)
  W32.Mumawow.F (Symantec)
  TrojanDownloader:Win32/Cekar.gen!A (Microsoft)
Short description

Win32/Anilogo.F is a worm which tries to download other malware from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­smss.exe (28000 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TBMonEx" = "%windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­smss.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%application%]
    • "Debugger" = "net"

The %application% is one of the following strings:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • 360rpt.exe
  • 360Safe.exe
  • 360tray.exe
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EGHOST.EXE
  • ESAFE.EXE
  • EXPWATCH.EXE
  • F-AGNT95.EXE
  • FESCUE.EXE
  • FINDVIRU.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • Iparmor.exe
  • JEDI.EXE
  • KAV32.exe
  • KAVPFW.EXE
  • KAVsvc.exe
  • KAVSvcUI.exe
  • KAVsvcUI.exe
  • KVFW.EXE
  • KVMonXP.exe
  • KVMonXP.kxp
  • KVSrvXP.exe
  • KVsrvXP.exe
  • KVwsc.exe
  • KvXP.kxp
  • KWatchUI.EXE
  • LOCKDOWN2000.EXE
  • Logo1_.exe
  • LOOKOUT.EXE
  • LUALL.EXE
  • MAILMON.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • Navapsvc.exe
  • Navapw32.exe
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • navw32.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMain.exe
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • PFW.EXE
  • PFW.exe
  • Rav.exe
  • rav.exe
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAVmon.exe
  • RavMon.exe
  • RAVmonD.exe
  • RAVtimer.exe
  • Ravtimer.exe
  • Rising.exe
  • rising.exe
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • THGUARD.EXE
  • TrojanHunter.exe
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE
Spreading on removable media

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • %drive%\­ntldr.exe (28000 B)

The following file is dropped in the same folder:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Executable file infection

Win32/Anilogo.F can infect executable files.


The worm searches local and network drives for files with one of the following extensions:

  • .exe

It avoids files which contain any of the following strings in their path:

  • Common Files
  • Internet Explorer
  • recycler
  • system volume information
  • windows
  • Windows NT
  • winnt

It avoids files with the following filenames:

  • AdBalloonExt.exe
  • BackgroundDownloader.exe
  • BugReport.exe
  • CA.exe
  • CONFIG.exe
  • CoralQQ.exe
  • dzh.exe
  • fb3.exe
  • Findbug.EXE
  • game.exe
  • GAME2.EXE
  • GAME3.EXE
  • Game4.exe
  • hypwise.exe
  • KartRider.exe
  • laizi.exe
  • Launcher.exe
  • Lobby_Setup.exe
  • Meteor.exe
  • mir.exe
  • nettools.exe
  • NMCOSrv.exe
  • NMService.exe
  • o2_unins_web.exe
  • O2Jam.exe
  • O2JamPatchClient.exe
  • O2Mania.exe
  • O2ManiaDriverSelect.exe
  • OTwo.exe
  • patchupdate.exe
  • PES5.exe
  • PES6.exe
  • proxy.exe
  • QQ.exe
  • QQexternal.exe
  • ra2.exe
  • ra21006ch.exe
  • ra3.exe
  • ra4.exe
  • Repair.exe
  • Roadrash.exe
  • settings.exe
  • sTwo.exe
  • tm.exe
  • Updater.exe
  • WE8.exe
  • WoW.exe
  • zhengtu.exe
  • ztconfig.exe

Files are infected by adding a new section that contains the worm .


The host file is modified in a way that causes the worm to be executed prior to running the original code.


The size of the inserted code is 29 KB .

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (7) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The worm may create the following files:

  • %windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­smss.exe.tmp
  • %windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­SYSTEM128.tmp
  • %windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­SYSTEM128.vxd
  • %windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­10074.INC
  • %windir%\­Fonts\­syn00-23-7D-C5-B7-B9\­system\­%variable1%
  • %variable2%.bat
  • ani.ani

A string with variable content is used instead of %variable1-2% .


The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Control Panel\­Cursors]
    • "AppStarting" = "%systemroot%\­Cursors\­3dwarro.cur"
    • "AppStarting" = ""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­GoogleBA]
    • "setup" = "yes"

The worm launches the following processes:

  • explorer.exe
  • iexplore.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.