Win32/AutoRun.Agent.TG [Threat Name] go to Threat

Win32/AutoRun.Agent.TG [Threat Variant Name]

Category	worm
Size	507904 B
Aliases	BackDoor-EJG.trojan (McAfee)
	TrojanDropper:Win32/Dwonk.A (Microsoft)
	Trojan.Horse (Symantec)

Short description

Win32/AutoRun.Agent.TG is a worm that spreads via removable media, shared folders and IM. The worm serves as a backdoor. It can be controlled remotely.

Installation

When executed, the worm creates the following files:

%temp%\%variable1%.exe (315392 B, Win32/AutoRun.Agent.TG)
%temp%\%variable9%.exe (708608 B, Win32/AutoRun.Agent.TG)

The worm copies itself to the following locations:

%temp%\%variable2%.exe
%temp%\%variable3%.exe
%temp%\%variable4%.exe
%temp%\%variable5%.exe
%temp%\%variable6%.exe
%temp%\%variable7%.exe
%temp%\%variable8%.exe
%windir%\%variable2%.exe
%windir%\%variable6%.exe
%system%\%variable6%.exe
%system%\%variable8%.exe
%system%\%variable2%.exe
%system%\%variable3%.exe
%system%\%variable7%.exe
%system%\%variable5%.exe
%windir%\%variable8%.exe
%windir%\%variable3%.exe
%windir%\%variable4%.exe
%windir%\%variable7%.exe
%windir%\%variable5%.exe
%system%\%variable4%.exe

The files are then executed.

The worm creates the following files:

%appdata%\%variable10% (120 B)
%appdata%\%variable11% (3848 B)
%temp%\%variable10% (120 B)
%temp%\%variable11% (3848 B)
%programfiles\%%variable10% (120 B)
%programfiles%\%variable11% (3848 B)
%system%\%variable11% (3848 B)
%system%\%variable10% (120 B)
%windir%\%variable10% (120 B)
%windir%\%variable11% (3848 B)

The worm may create the following files:

%temp%\%variable21%.dll (32768 B, Win32/AutoRun.Agent.TG)
%temp%\%variable21%.dll (315392 B, Win32/AutoRun.Agent.TG)

The worm creates the following folders:

%temp%\%variable12%
%temp%\%variable12%\%variable13%\

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable14%" = "%variable3%.exe"
- "%variable15%" = %temp%\%variable4%.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
- "%variable16%" = %variable6%.exe
- "%variable17%" = %temp%\%variable7%.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable18%" = "%variable7%.exe"
- "%variable19%" = "%temp%\%variable4%.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable20%" = "%variable6%.exe"
- "%variable14%" = "%temp%\%variable4%.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
- "%variable12%" = "%variable3%.exe"
- "%variable16%" = "%temp%\%variable4%.exe"

A string with variable content is used instead of %variable1-21% .

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLUA" = 0
- "DisableRegistryTools" = 1
- "ConsentPromptBehaviorAdmin" = 0
- "ConsentPromptBehaviorUser" = 0
- "EnableInstallerDetection" = 0
- "EnableSecureUIAPaths" = 0
- "EnableVirtualization" = 0
- "PromptOnSecureDesktop" = 0
- "ValidateAdminCodeSignatures" = 0
- "FilterAdministratorToken" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutoRun" = 1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
- "CheckedValue" = 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center]
- "AntiVirusOverride" = 1
- "FirewallOverride" = 1
- "UacDisableNotify" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- "UpdatesDisableNotify" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "Explorer.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutoRun" = 1

The worm quits immediately if it is run within a debugger.

The worm terminates its execution if it detects that it's running in a specific virtual environment.

Spreading

The worm searches for files with the following file extensions:

.rar

The worm inserts a copy of itself into RAR archives.

The worm copies itself into the root folders of local and remote drives.

The following filename is used:

%variable%.bat

A string with variable content is used instead of %variable% .

The following file is created in the same folders:

Autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

The worm searches for network drives.

The worm tries to copy itself to the available shared network folders.

Win32/AutoRun.Agent.TG is a worm that spreads through social networking sites.

The following social networking sites are affected:

Twitter

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following names:

%variable%.bat

A string with variable content is used instead of %variable% .

The following file is dropped in the same folder:

Autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm copies itself into the existing subfolders also.

Spreading via IM networks

Win32/AutoRun.Agent.TG is a worm that spreads via IM networks.

The worm sends links to

Skype

users. The messages may contain any of the following texts:

hello
hi
how are you
hello again
you skype version is old
what are you?
from where are you?
what are you doing in my contacts?
as I said %url%
so %url%
%url%D
look %url%
here %url%
so what do you think?
what is in that link on your skype?
do you have camera on skype?
is it really your web site?
what do you think about that?
what is there?
pudge women ;)
piece of shit
now everyone know ;)
idiot
what are you doing
crazy bitch
why dont you speak
I saw you photo. I would like to speak with you
I saw you last week. I would like to speak with you
I watching you long time. I would like to speak with you
%url%
I know what you did
%url%DDD
idiot name
i lost my job..
i am idiot..
i want to die..
0(beer)
?
nice ass*
muhahahaaahaha
little boy]]]]
I know about your little problemD
gay
:D
what new?
what the fuck is that ?
bad news
dude
bitch
niger
impotent
Hallo
hallo
Wie geht es Ihnen
Hallo wieder
Sie Skype-Version ist alt
was bist du?
Von wo bist du?
Was machst du in meine Kontakte?
wie ich schon sagte%url%
so%url%
%url D
siehe%url%
hier%url%
so what do you think?
Was ist in diesem Link auf Ihrer Skype?
Haben Sie Kamera auf Skype?
Ist es wirklich Ihre Website?
Was denken Sie darüber?
was ist da?
pudge Frauen;)
piece of shit
DU BIST NUN alle wissen;)
Idiot
what machst du
crazy bitch
why dont you speak
Ich habe dich Foto. Ich möchte mit Ihnen sprechen
Ich habe Sie letzte Woche. Ich möchte mit Ihnen sprechen
Ich beobachte dich lange. Ich möchte mit Ihnen sprechen
%url%
I wissen, was Sie nicht
%url D
idiot name
ich meinen Job verloren ..
ich bin Idiot ..
ich wollen .. die
(Bier)
?
nice ass*
muhahahaaahaha
kleiner Junge]]]]
I über Ihr kleines Proble D
Homosexuell
: D
was ist neu?
Was zum Teufel ist das?
schlechte Nachrichten
dude
Hündin
niger
impotent
Hello
Привет
Как вы
Здравствуйте еще раз
Вы Skype версии старой
Кто Вы?
откуда ты?
Что ты делаешь в моих контактов?
Как я уже говорил %url%
так %url%
%urlD
посмотрите %url%
здесь %url%
И что вы думаете?
что в этом ссылку на ваш Skype?
У вас есть камера на Skype?
действительно ли ваш веб-сайт?
Что вы думаете об этом?
что там?
толстяк женщин;)
кусок дерьма пТеперь все знают;)
Идиот nwhat ты делаешь
Crazy сука
Why Dont вы говорите
я видел вас фото. Я хотел бы поговорить с вами
Я видел тебя на прошлой неделе. Я хотел бы поговорить с вами
Я смотрю вам долгое время. Я хотел бы поговорить с вами
%url%
I знаю, что ты сделал
%urlD nidiot имя
Я потерял мою работу .. Н. М. идиот .. NI хочу умереть ..
(пиво)
?
Nice осл* nmuhahahaaahaha
маленький мальчик]]]]
I знать о вашей маленькой проблемоD
гей D
Что нового?
что ебать это?
плохие новости
идиота
сука
Нигер
бессильная
hello
hi
Cum te
hello din nou
tu Skype versiune este veche
Ce esti tu?
de unde esti?
Ce faci în contactele mele?
după cum am spus %url%
aşa %url%
%urlD
uite %url%
aici %url%
so ce crezi?
ceea ce este în care se leagă pe Skype dvs.?
Ai aparat de fotografiat pe Skype?
este cu adevarat site-ul dvs. de web?
Ce crezi despre asta?
Ce este acolo?
femei Pudge;)
bucata de rahat
now ştie toată lumea;)
idiot
what faci
căţea nebun
de ce dont you speak
Te-am văzut fotografia. Aş dori să vorbesc cu tine
Te-am văzut săptămâna trecută. Aş dori să vorbesc cu tine
Eu cu ochii pe tine de mult timp. Aş dori să vorbesc cu tine
%url%
I ştiu ce ai făcut
%urlD
ume nidiot
Mi-am pierdut .. meu loc de muncă
i AM .. idiot
i vreau să mor ..
(bere)
?
nice as*
muhahahaaahaha
baietelul]]]]
I stiti despre problema ta mai micD
gay
:D
ce noi?
ce naiba e asta?
vesti proaste
imbecil
căţea
Niger
impotent
Hello
Привет
Як ви
Вітаю ще раз
Ви Skype версії старої
Хто Ви?
Звідки ти?
Що ти робиш у моїх контактів?
Як я вже говорив %url%
так %url%
%url%D
подивіться %url%
тут %url%
І що ви думаєте?
що в цьому посилання на ваш Skype?
У вас є камера на Skype?
чи справді ваш веб-сайт?
Що ви думаєте про це?
що там?
товстун жінок;)
шматок лайна пТеперь всі знають;)
Идиот
what ти робиш
Crazy сука
Why Dont ви говорите
я бачив вас фото. Я хотів би поговорити з вами
Я бачив тебе ще минулого тижня. Я хотів би поговорити з вами
Я дивлюся вам довгий час. Я хотів би поговорити з вами
%url%
I знаю, що ти зробив
%url%D
idiot ім'я
Я загубив мою роботу .. Н. М. ідіот ..
I хочу померти ..
(пиво) п?
Nice осл*
muhahahaaahaha
маленький хлопчик]]]]
I знати про вашу маленькою проблемоD
гей / D
Що нового?
що ебать це?
погані новини
ідіота
сука
Нігер
безсила
hello
hej
Hvordan har du
Hej igen
du skype version er gammel
hvad er du?
fra hvor er du?
Hvad laver du i mine kontakter?
Som jeg sagde %url%
for %url%
%url%D
se %url%
her %url%
så hvad tror du?
Hvad er i denne link på din Skype?
Har du kamera på Skype?
Er det virkelig din hjemmeside?
Hvad synes du om det?
Hvad er der?
pudge kvinder;)
lortespand
now alle know;)
idiot
what laver du
crazy bitch
Hvorfor dont you speak
Jeg så dig foto. Jeg vil gerne tale med dig
Jeg så dig i sidste uge. Jeg vil gerne tale med dig
Jeg ser dig lang tid. Jeg vil gerne tale med dig
%url%
I vide, hvad du gjorde
%url%D
idiot navn
0Jeg har mistet mit job ..
i er idiot ..
i ønsker at dø ..
0(øl)
?
nice as*
muhahahaaahaha
lille dreng]]]]
I vide om dit lille probleD
gay
:D
Hvad nyt?
Hvad fanden er det?
dårlige nyheder
tåbe
tæve
Niger
impotent
Hello
hi
how are you
hello again
ty stara wersja Skype
What are you?
skąd jesteś?
co ty robisz w moich kontaktów?
jak powiedziałem %url%
so %url%
%url%
wyglądać %url%
tutaj %url%
so what do you think?
co jest w tym linku na skype?
masz aparat na skype?
czy to naprawdę swojej witrynie internetowej?
co o tym myślisz?
co tam jest?
kobiety niski grubas;)
piece of shit
now wszyscy wiedzą;)
idiota
what robisz
crazy bitch
dlaczego dont you speak
Widziałem cię zdjęcia. Chciałbym mówić z tobą
Widziałem cię w zeszłym tygodniu. Chciałbym mówić z tobą
I watching you długo. Chciałbym mówić z tobą
%url%
I know what you did
%url%D
idiot name
0I lost my job ..
i jestem idiotą ..
i chce umierać ..
0(piwo)
?
nice as*
muhahahaaahaha
mały chłopiec]]]]
I znać o swoim mały probleD
gej
Co nowego?
what the fuck is that?
bad news
kretyn
suka
Niger
bezsilny
ciao
hi
come stai
ciao di nuovo
si è vecchia versione di skype
Che cosa sei?
da dove sei?
cosa stai facendo nei miei contatti?
come dicevo %url%
così %url%
%url%D
look %url%
qui %url%
Che cosa ne pensi?
ciò che è in questo link sul vostro Skype?
non si dispone di fotocamera su Skype?
è davvero il tuo sito web?
cosa ne pensi?
che cosa c'è?
le donne pudge;)
pezzo di merda tutti nnow sapere;)
idiot
what stai facendo
cagna crazy
Perché non si parla
ti ho visto foto. Vorrei parlare con voi
ti ho visto la settimana scorsa. Vorrei parlare con voi
I watching you tempo. Vorrei parlare con voi
%url%
I sapere che cosa avete fatto
%url%D
ome nidiot
0Ho perso il mio posto di lavoro ..
i am .. idiota
i voglio morire ..
0(birra)
?
bel cul*
muhahahaaahaha
piccolo]]]]
I sapere sul vostro piccolo problemD
gay
:D
che cosa di nuovo?
Che cazzo è?
le cattive notizie
imbecille
cagna
niger
impotente
hello
hi
how are you
sveiki atkal
tu skype versija ir vecs
what are you?
no kurienes jūs esat?
Ko jūs darāt manā kontaktus?
kā jau teicu %url%
to %url%
%url%D
skatīties %url%
Šeit %url%
so what do you think?
kas ir šīs saiti uz savu skype?
Vai jums ir kamera ar skype?
tas tiešām ir jūsu mājas lapā?
Ko jūs domājat par šo?
kas ir tur?
resnis sievietes;)
gabals shit
now visiem zināt;)
idiots
what are you doing
crazy bitch
kāpēc dont you speak
es redzēju tevi foto. Es gribētu runāt ar jums,
es redzēju tevi pagājušajā nedēļā. Es gribētu runāt ar jums,
es tevi ilgi. Es gribētu runāt ar jums,
%url%
i zināt, ko jūs
%url%D
idiot nosaukums
0Es pazaudēju savu darbu ..
i esmu idiots ..
i gribu mirt ..
0(alus)
?
nice as*
muhahahaaahaha
mazs zēns]]]]
i zināt par savu nedaudz problēmD
gay
:D
kas jauns?
kas fuck is that?
bad news
idiots
kuce
niger
impotents
Bonjour
salut
Comment vous êtes
Bonjour à nouveau
vous Skype version est ancienne
What are you?
d'où êtes-vous?
Que fais-tu dans mes contacts?
comme je le disais %url%
si %url%
%url%D
Rechercher %url%
ici %url%
Que pensez-vous?
ce qui est dans ce lien sur votre skype?
avez-vous caméra sur skype?
il est vraiment votre site web?
Que pensez-vous de cela?
ce qui est là?
femmes pudge;)
piece of shit Everyone nMAINTENANT know;)
idiot
what que tu fais
crazy bitch
Pourquoi ne vous parlez
J'ai vu votre photo. Je voudrais parler avec vous
Je vous ai vu la semaine dernière. Je voudrais parler avec vous
Je vous surveille depuis longtemps. Je voudrais parler avec vous
%url%
I savoir ce que vous ne
%url%D
om nidiot
0j'ai perdu mon emploi ..
i suis idiot ..
i envie de mourir ..
0(bière)
?
ass nic*
muhahahaaahaha
petit garçon]]]]
I savoir sur votre petit problèmD
n gayD
quelles nouvelles?
what the fuck is that?
mauvaises nouvelles
imbécile
bitch
Niger
impuissante
hello
Haló
conas tá tú
hello again
Tá Skype tú seanleagan
cad atá tú?
ó áit a bhfuil tú?
cad atá á dhéanamh agat i mo teagmhála?
mar a dúirt mé %url%
amhlaidh %url%
%url%D
S % breathnú
S anseo%
sin an méid a dhéanaimid a cheapann tú?
a bhfuil sa nasc atá ar do Skype?
An bhfuil tú ceamara ar Skype?
Is é is tábhachtaí ar do láithreán gréasáin seo?
cad a dhéanann a cheapann tú faoi sin?
cad is ann?
mná pudge;)
píosa cac
now gach duine a fhios;)
leathcheann
what tá tú ag déanamh
bitch dÚsachtach
cén fáth dont labhraíonn tú
chonaic mé grianghraf agat. Ba mhaith liom labhairt leat
chonaic mé tú an tseachtain seo caite. Ba liom labhairt leat
faire I am agat le fada. Ba mhaith liom labhairt leat
Fhios %url%
I cad a rinne tú
%url%D ainm nidiot
0Chaill mé mo phost ..
n ni .. leathcheann
i mian le bás ..
0(beoir)
?
asal dea*
muhahahaaahaha
buachaill beag]]]]
I eolas faoi do fhadhb beaD
aerach
:D
cad nua?
Is é an rud go fuck?
nuacht lochtach
imbecile
bitch
niger
impotent
hello
hi
ako sa máš
Hello again
ste skype verzia je stará
Čo ste vy?
odkiaľ si?
Čo robíte v mojich kontaktov?
Ako som povedal %url%
tak %url%
%url%D
pozrite %url%
tu %url%
tak čo myslíte?
to, čo je v tom odkazu na vašich skype?
máte kameru na skype?
je to naozaj vaše webové stránky?
co si o tom myslíte?
Čo je tam?
Pudge ženy;)
sráči
Now všetci vedia;)
idiot
What robíte
crazy bitch
Prečo dont hovoríte
Videl som vás fotku. Rád by som s tebou hovoriť
Videl som vás minulý týždeň. Rád by som s tebou hovoriť
Ja vás sledujú dlho. Rád by som s tebou hovoriť
%url%
I vedieť, čo si urobil
%url%D
idiot meno
0Prišiel som o prácu .. ňu som idiot .. ňu chcem umrieť ..
0(pivo)
?
pekný zado*
muhahahaaahaha
malý chlapec]]]]
I vedieť o svojom malý probléD
gay
:D
Čo nového?
Čo to sakra je?
bad news
imbecil
fena
niger
nemohoucí
Sveikas
Sveika
labas
labutis
šviežia mėsa kaip matau
;)
suteiksi man džiaugsmo
?
:)
Iš kur tu čia atsiradai?
ką tu darai mano kontaktuose?
kaip sakiau %url%
taip %url%
%url%D
žiūrėk %url%
čia %url%
tai ka manai ?
tai kur šiandien?
pagarbos matau truksta idiote
ar cia tavo puslapis? kad ant skypo uzsidejai
ka veiki?
Kas ten?
visgi matosi tos kojos
šūdo gabale
dabar visi jau žino ;)
idiote
ka dabar darai
nezinau net ka daryt dabar..
vat
ko nešneki?
reiktu truputi pagalbos iš tavęs
Stebiu tave jau kuris laikas. Ir vat kame esme
nepatikesi kas nusižudė
%url%
jau žinau, ką padarei
%url%D
blogiau nebuna taip?
0ar tu visai nušokai nuo proto?
0(beer)
?
ar
lenkiu žemai galva pries tave
pagarba.
as
tavo
vergas
OK ?)
:D
tau viskas gerai?????
tai tu čia tas klounas
..
?
blogos naujienos..
tau
imbicile
kale
spėk kuris iš musu debilas?
:)
tu
su galva viskas gerai?
Hola
hi
¿Cómo estás
Hola de nuevo
que la versión de Skype es viejo
¿qué eres?
¿De dónde es usted?
¿qué estás haciendo en mis contactos?
como he dicho %url%
para %url%
%url%D
%url% mirada
aquí %url%
Entonces, ¿qué te parece?
lo que es en ese enlace en su Skype?
¿tiene la cámara en Skype?
¿es realmente su sitio web?
¿Qué piensa usted de eso?
¿qué hay?
las mujeres Gordo;)
pedazo de mierda
now todo el mundo sabe;)
idiota
what estás haciendo
perra loca
¿Por qué no hablas
te vi la foto. Me gustaría hablar con usted
te vi la semana pasada. Me gustaría hablar con usted
I observando mucho tiempo. Me gustaría hablar con usted
%url%
i sabes lo que hiciste
%url%D
ombre de nidiot
He perdido mi trabajo ..
i soy idiota ..
i quiero morir ..
(cerveza)
?
bonito cul*
muhahahaaahaha
pequeño]]]]
i saber acerca de su pequeño problemD
gay
:D
lo nuevo?
¿Qué carajo es eso?
malas noticias
imbécil
perra
Níger
impotente
hello
hei
Hvordan er du
Hei igjen
Du skype versjonen er gammel
Hva er du?
hvor er du?
Hva gjør du i mine kontakter?
som jeg sa %url%
så %url%
%url%D
se %url%
her %url%
så hva tror du?
hva er i så koblingen på skype din?
Har du kamera på skype?
er det virkelig din hjemmeside?
hva synes du om det?
hva er det?
pudge kvinner;)
dritt
now alle vet;)
idiot
what gjør du
crazy bitch
hvorfor dont speak du
Jeg så deg bilde. Jeg vil gjerne snakke med deg
Jeg så deg i forrige uke. Jeg vil gjerne snakke med deg
Jeg ser på deg lenge. Jeg vil gjerne snakke med deg
%url%
i vet hva du gjorde
%url%D
idiot navn
Jeg mistet jobben min ..
i am idiot ..
i vil dø ..
(øl)
?
nice as*
muhahahaaahaha
liten gutt]]]]
i vite om ditt lille probleD
gay
:D
hvilke nye?
hva faen er det?
dårlige nyheter
imbecile
bitch
Niger
impotent
Tere
hi
how are you
tere taas
te Skype versioon on vana
Mis sa oled?
kust te olete?
mida sa teed minu kontaktid?
nagu ma ütlesin %url%
nii %url%
%url%D
vaata %url%
here %url%
Mis sa arvad?
Mis on selle lingi Skype?
Kas Teil on kaamera, Skype?
Kas tõesti on saidil?
Mida sa sellest arvad?
Mis on?
pudge naised;)
sitakott
now kõigile teada;)
idioot
what sa teed
hull lits
Why dont you speak
Ma nägin sind foto. Tahaksin rääkida teile
Ma nägin sind eelmisel nädalal. Tahaksin rääkida teile
I watching you kaua. Tahaksin rääkida teile
%url%
I tean, mida sa ei
%url%D
idiot nimi
ma kaotasin töö ..
i olen idioot ..
i taha surra ..
(õlu)
?
nice as*
muhahahaaahaha
väike poiss]]]]
I teadma oma väike probleeD
gay
:D
Mis uudist?
Mis kurat see on?
halbu uudiseid
Loll
emane
Nigeris
impotent
hello
hej
how are you
Hej igen
du Skype version är gammal
vad är du?
varifrån är du?
Vad gör du i mina kontakter?
Som jag sa %url%
so %url%
%url%D
look %url%
här %url%
so what do you think?
Vad finns i den länk på din Skype?
Har du kameran på Skype?
Är det verkligen din webbplats?
Vad tycker du om det?
Vad är det?
pudge kvinnor;)
piece of shit
now alla vet;)
idiot
what gör du
crazy bitch
Why dont you speak
Jag såg dig foto. Jag skulle vilja tala med dig
Jag såg dig förra veckan. Jag skulle vilja tala med dig
Jag ser dig länge. Jag skulle vilja tala med dig
%url%
I vet vad du gjorde
%url%D
idiot namn
Jag förlorade mitt jobb ..
i är idiot ..
i vill dö ..
(öl)
?
nice as*
muhahahaaahaha
pojke]]]]
I veta om din lilla probleD
gay
:D
vilka nya?
vad fan är det?
dåliga nyheter
imbecill
bitch
Niger
impotent
hello
hi
jak se máš
Hello again
jste skype verze je stará
Co jste vy?
odkud jsi?
Co děláte v mých kontaktů?
Jak jsem řekl %url%
tak %url%
%url%D
podívejte %url%
zde %url%
tak co myslíte?
to, co je v tom odkazu na vašich skype?
máte kameru na skype?
je to opravdu vaše webové stránky?
co si o tom myslíte?
Co je tam?
pudge ženy;)
sráči
now všichni vědí;)
idiot
what děláte
crazy bitch
Proč dont mluvíte
Viděl jsem vás fotku. Rád bych s tebou mluvit
Viděl jsem vás minulý týden. Rád bych s tebou mluvit
Já vás sledují dlouho. Rád bych s tebou mluvit
%url%
I vědět, co jsi udělal
%url%D
idiot jméno
Přišel jsem o práci ..
i jsem idiot ..
i chci umřít ..
(pivo)
?
hezký zade*
muhahahaaahaha
malý chlapec]]]]
I vědět o svém malý probléD
gay
:D
Co nového?
Co to sakra je?
bad news
imbecil
fena
niger
nemohoucí

If the link is clicked a copy of the worm is retrieved from the attacking machine using HTTP protocol.

Information stealing

The worm is able to log keystrokes.

The worm can send the information to a remote machine.

The worm searches local drives for files with the following file extensions:

.txt
.3gp
.bmp
.xls
.htm
.ppt
.gif
.rtf
.jpeg
.jpg
.doc

Only following folders are searched:

%profile%

The worm attempts to send the found files to a remote machine.

Other information

The worm terminates processes with any of the following strings in the name:

eset.
IceSword
procexp
procmon
regedit
regmon
rstrui
spyware
sysclean

The worm terminates any program that creates a window containing any of the following strings in its name:

ahnlab
antianti
antivir
antivirus
arcabit
avast
avg
avg.
avira
avp.
bit9.
castlecops
centralcommand
cert.
clamav
comodo
computer managment
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset -
etrust
ewido
firewall
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
Hiajck
hijack
ikarus
jotti
k7computing
kaspersky
malware
mcafee
NetTools
networkassociates
nod32
norman
norton
panda
pctools
prevx
Process Ex
Process Ha
quickheal
registry
rising
rootkit
sans.
securecomputing
security center
sophos
spamhaus
spyware
sunbelt
symantec
sysinternals
system configuration
system restore
Task Manager
tcpview
threatexpert
trendmicro
vet.
virus
virus
wilderssecurity
windowsupdate
worm
zonealarm

The following services are disabled:

BITS
ERSvc
MpsSvc
SharedAccess
TrustedInstaller
WerSvc
WinDefend
wscsvc
wuauserv

The worm may create copies of the following files (source, destination):

%windir%\explorer.exe, %windir%\%variable1%\explorer.exe
%windir%\regedit.exe, %windir%\%variable1%\explorer.exe
%windir%\notepad.exe, %windir%\%variable1%\explorer.exe
%system%\notepad.exe, %windir%\%variable1%\explorer.exe
%system%\taskmgr.exe, %windir%\%variable1%\explorer.exe
%system%\cmd.exe, %windir%\%variable1%\explorer.exe
%programfiles%\%existingfilename%.exe, %programfiles%\%variable2%%existingfilename%.exe

A string with variable content is used instead of %variable1-2% .

The worm may create the following files:

%windir%\explorer.exe (507904 B, Win32/AutoRun.Agent.TG)
%windir%\regedit.exe (507904 B, Win32/AutoRun.Agent.TG)
%windir%\notepad.exe (507904 B, Win32/AutoRun.Agent.TG)
%system%\notepad.exe (507904 B, Win32/AutoRun.Agent.TG)
%system%\taskmgr.exe (507904 B, Win32/AutoRun.Agent.TG)
%system%\cmd.exe (507904 B, Win32/AutoRun.Agent.TG)
%programfiles%\%existingfilename%.exe (507904 B, Win32/AutoRun.Agent.TG)

The worm checks for Internet connectivity by trying to connect to the following servers:

www.blogger.com
www.facebook.com
www.google.com
www.myspace.com
www.wikipedia.org
www.yahoo.com
www.youtube.com

The worm connects to the following addresses:

http://showip.net/
http://whatismyip.everdot.org/
http://whatismyipaddress.com/
http://www.whatismyip.ca/
http://www.whatismyip.com/
www.ipchicken.com
www.showmyipaddress.com
www.showmyipaddress.eu

The worm acquires data and commands from a remote computer or the Internet.

The worm generates various URL addresses. The TCP, HTTP protocol is used.

It can execute the following operations:

delete folders
download files from a remote computer and/or the Internet
run executable files
execute shell commands
perform DoS/DDoS attacks
stop itself for a certain time period
redirect network traffic
terminate running processes

The worm can modify the following file:

%system%\drivers\etc\hosts

The worm opens a random TCP port.

A HTTP proxy is listening there.