Win32/Clofect [Threat Name] go to Threat

Win32/Clofect.A [Threat Variant Name]

Category worm
Size 77824 B
Aliases VipAntiSpyware (Symantec)
Short description

Win32/Clofect.A is a worm that spreads by copying itself into the root folders of available drives.


When executed, the worm creates the following files:

  • %userprofile%\­Datos de programa\­Microsoft\­Internet Explorer\­QuickLaunch\­Windows Live Messenger.lnk
  • %userprofile%\­ConfiguraciĆ³n local\­Datos de programa\­Google\­Windows Live Messenger.lnk
  • %commonstartup%\­Windows Live Messenger.lnk
  • %commonstartup%\­Actualizaciones de Windows Live.lnk
  • %commonstartup%\­Detector de Spywares de Windows Live.lnk
  • %desktop%\­Windows Live Messenger.lnk
  • %commonprograms%\­Windows Live Messenger.lnk
  • %commondesktop%\­Windows Live Messenger.lnk
  • %programfiles%\­Windows Live Messenger.lnk
  • %startmenu%\­Windows Live Messenger.lnk
  • %recent%\­Windows Live Messenger.lnk
  • C:\­Informacion Importante.lnk
  • C:\­Mejores Amigos.lnk

The worm copies itself into the root folders of all drives using the following name:

  • inf.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm also searches for folders on local drives.

When the worm finds a folder matching the search criteria, it creates a new copy of itself.

The name of the new file is based on the name of the folder found in the search.

The extension of the file is ".exe" .

The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = ""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Window Title" = "::M0rPheU$:: v2.1"
  • [HKEY_CLASSES_ROOT\­Directory\­shell\­DOSAqui]
    • "(Default)" = "Abrir Carpeta"
  • [HKEY_CLASSES_ROOT\­Directory\­shell\­DOSAqui\­Command]
    • "(Default)" = "mshta.exe"
  • [HKEY_CLASSES_ROOT\­Drive\­shell\­DOSAqui]
    • "(Default)" = "Abrir Unidad de Disco"
  • [HKEY_CLASSES_ROOT\­Drive\­shell\­DOSAqui\­Command]
    • "(Default)" = "mshta.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "fDenyTSConnections" = 0
  • [HKEY_CLASSES_ROOT\­WinRAR\­shell\­open\­command]
    • "(Default)" = ""%system%\­mshta.exe" ";p=WinRar;f=%1""
Other information

The worm may delete files stored in the following folders:

  • C:\­Archivos de programa\­ESET\­ESET NOD32 Antivirus\­
  • C:\­Archivos de programa\­Alwil Software\­Avast4\­
  • C:\­Archivos de programa\­AVG\­AVG8\­
  • C:\­Archivos de programa\­Avira\­AntiVir Desktop\­
  • C:\­Archivos de programa\­McAfee Security Scan\­
  • C:\­Archivos de programa\­Mozilla Firefox\­
  • C:\­Archivos de programa\­Google\­Update\­
  • %userprofile%\­ConfiguraciĆ³n local\­Datos de programa\­Google\­

The following programs are terminated:

  • avgnt.exe
  • avguard.exe
  • avshadow.exe
  • chrome.exe
  • firefox.exe
  • GoogleCrashHandler.exe
  • GoogleUpdate.exe
  • msnmgr.exe
  • spy2010.exe
  • _2010v23.exe

The worm contains a list of (10) URLs.

It tries to download several files from the addresses.

These are stored in the following locations:

  • c:\­
  • c:\­msn\­mails.hta
  • c:\­msn\­mc1.hta
  • c:\­msn\­mailer.tpl
  • c:\­msn\­
  • c:\­msn\­
  • c:\­M0rPheU$_Esta_Aqui.jpg

The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.