Win32/Pinit [Threat Name] go to Threat

Win32/Pinit.AF [Threat Variant Name]

Category worm
Size 261120 B
Aliases Trojan-Clicker.Win32.Vesloruki.dnk (Kaspersky)
  Worm/Mariofev.A.26 (Avira)
  Worm:Win32/Mariofev.A (Microsoft)
Short description

Win32/Pinit.AF is a worm that spreads via shared folders.

Installation

When executed, the worm copies itself into the %system% folder using the following name:

  • cooper.mine

The following files are dropped in the same folder:

  • nmklo.dll
  • dfg5j.fw
  • feq2.zt
  • fe6hbfe1.an
  • veyi.r3
  • 3fse.sr
  • %variable1%
  • %variable2%

The following files are modified:

  • %system%\­user32.dll
  • %system%\­dllcache\­user32.dll

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Appi%variable3%t_Dlls" = "nmklo"

This causes the worm to be executed on every application start.


A string with variable content is used instead of %variable1-3% .


The worm registers itself as a system service using the following name:

  • OKAHAI Service

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­1]
    • "31AC70412E939D72A9234CDEBB1AF5867B"
    • "31897356954C2CD3D41B221E3F24F99BBA"
    • "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­6]
    • "31AC70412E939D72A9234CDEBB1AF5867B"
    • "31897356954C2CD3D41B221E3F24F99BBA"
    • "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­7]
    • "31AC70412E939D72A9234CDEBB1AF5867B"
    • "31897356954C2CD3D41B221E3F24F99BBA"
    • "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­8]
    • "31AC70412E939D72A9234CDEBB1AF5867B"
    • "31897356954C2CD3D41B221E3F24F99BBA"
    • "31C2E1E4D78E6A11B88DFA803456A1FFA5"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­9]
    • "31AC70412E939D72A9234CDEBB1AF5867B"
    • "31897356954C2CD3D41B221E3F24F99BBA"
    • "31C2E1E4D78E6A11B88DFA803456A1FFA5"
Spreading via shared folders

Win32/Pinit.AF is a worm that spreads via shared folders.


It tries to copy itself in the following folders on a remote machine:

  • \­\­%remotecomputer%\­IPC$\­
  • \­\­%remotecomputer%\­admin$\­

The following names are used:

  • GameLoft.exe

The worm contains a list of passwords that are tried when accessing remote machines.


The following usernames are used:

  • administrator

The following passwords are used:

  • 0
  • 1
  • 11
  • 13
  • 123
  • 133
  • 666
  • 777
  • 1212
  • 1234
  • 1313
  • 12345
  • 123456
  • 12345678
  • !@#
  • 123abc
  • a1b2c3
  • abc123
  • adm
  • admin
  • administrator
  • alex
  • andrew
  • apple
  • asa
  • avalon
  • baseball
  • bear
  • buster
  • calvin
  • canada
  • carmen
  • changeme
  • computer
  • diamond
  • donald
  • dragon
  • fuckme
  • fuckyou
  • harley
  • hello
  • hockey
  • internet
  • jordan
  • letmein
  • maggie
  • matthew
  • michael
  • michelle
  • mickey
  • mike
  • miller
  • mindy
  • money
  • mustang
  • ou812
  • pass
  • password
  • patick
  • q
  • qaz
  • qazxsw
  • qqq
  • qwerty
  • qwerty1
  • qwerty12
  • ranger
  • secret
  • service
  • shadow
  • snoopy
  • summer
  • test
  • test
  • tiger
  • tigger
  • trustno1
  • xxx
  • zaq
  • zaqwsx
  • zzz
Other information

The worm may create the following files:

  • c:\­work.log
  • c:\­crash.dmp
  • c:\­crashdump.log
  • %windir%\­mqcd.dbt
  • %system%\­system32\­cls32.exe

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "MID"
    • "st"
    • "dwn"
    • "ccnt"
    • "nhr"

The worm connects to the following addresses:

  • http://shponchik.com/gda/gate/data.php
  • http://shponchik.com/gda/gate/r.php

It can send various information about the infected computer.


The following information is collected:

  • antivirus software detected on the affected machine
  • installed software
  • operating system version

Please enable Javascript to ensure correct displaying of this content and refresh this page.