Win32/Boberog [Threat Name] go to Threat

Win32/Boberog.AQ [Threat Variant Name]

Category worm
Size 53912 B
Detection created Mar 25, 2010
Detection database version 10223
Aliases Heur.Trojan.Generic (Kaspersky)
  Worm:Win32/Pushbot (Microsoft)
  W32/Heuristic-257!Eldorado (F-Prot)
Short description

Win32/Boberog.AQ is a worm that spreads via IM networks. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %desktop%\­dlll.exe (53912 B)
  • %appdata%\­dlll.exe (53912 B)

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows System Guard" = "%desktop%\­dlll.exe"
    • "Windows System Guard" = "%appdata%\­dlll.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows System Guard" = "%desktop%\­dlll.exe"
    • "Windows System Guard" = "%appdata%\­dlll.exe"
Spreading via IM networks

Win32/Boberog.AQ is a worm that spreads via IM networks.


The worm sends links to MSN, Yahoo, ICQ, Skype, AIM, Paltalk users.


The message contains a URL link to a website containing malware.


If the link is clicked a copy of the worm is downloaded.


The messages may contain any of the following texts:

  • olhar para esta foto :D %url%
  • se pĺ dette bildet :D %url%
  • bekijk deze foto :D %url%
  • schau mal das foto an :D %url%
  • look at this picture :D %url%
  • mira esta fotografía :D %url%
  • regardez cette photo :D %url%
  • guardare quest'immagine :D %url%
  • podívejte se na mou fotku :D %url%
  • ser pĺ dette billede :D %url%
  • nézd meg a képet :D %url%
  • spojrzec na to zdjecie :D %url%
  • bu resmi bakmak :D %url%
  • katso tätä kuvaa :D %url%
  • uita-te la aceasta fotografie :D %url%
  • pozrite sa na túto fotografiu :D %url%
  • titta pĺ denna bild :D %url%
  • poglej to fotografijo :D %url%
  • pogledaj to slike :D %url%
  • seen this?? :D %url%
Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • winupdservice.net

The IRC protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via IM networks
  • perform DoS/DDoS attacks
  • collect information about the operating system used

Please enable Javascript to ensure correct displaying of this content and refresh this page.