Win32/Pinit [Threat Name] go to Threat

Win32/Pinit.B [Threat Variant Name]

Category worm
Size 126976 B
Aliases Trojan-Dropper.Win32.Agent.aaki (Kaspersky)
  Generic.Dropper (McAfee)
  W32.Spamuzle.D (Symantec)
Short description

The worm tries to copy itself into shared folders of machines on a local network.

Installation

When executed, the worm copies itself into the %system% folder using the following name:

  • aston.mt (126976 B)

The following files are dropped in the same folder:

  • nvaux32.dll (237576 B)
  • e.spa (32768 B)
  • adj.j (32768 B)
  • devh.e2 (37376 B)
  • rdxz.e (63488 B)

The worm may create copies of the following files (source, destination):

  • %system%\­user32.dll, %system%\­%variable%

A string with variable content is used instead of %variable% .


The worm modifies the following file:

  • %system%\­user32.dll

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "%variable%Init_Dlls" = "nvaux32"

A string with variable content is used instead of %variable% .

Spreading via shared folders

Win32/Pinit.B is a worm that spreads via shared folders.


The worm tries to copy itself into shared folders of machines on a local network.


The following usernames are used:

  • administrator

The following passwords are used:

  • 0
  • 1
  • 11
  • 13
  • 123
  • 133
  • 666
  • 777
  • 1212
  • 1234
  • 1313
  • 12345
  • 123456
  • 12345678
  • !@#
  • 123abc
  • a1b2c3
  • abc123
  • adm
  • admin
  • administrator
  • alex
  • andrew
  • apple
  • asa
  • avalon
  • baseball
  • bear
  • buster
  • calvin
  • canada
  • carmen
  • changeme
  • computer
  • diamond
  • donald
  • dragon
  • fuckme
  • fuckyou
  • harley
  • hello
  • hockey
  • internet
  • jordan
  • letmein
  • maggie
  • matthew
  • michael
  • michelle
  • mickey
  • mike
  • miller
  • mindy
  • money
  • mustang
  • ou812
  • pass
  • password
  • patrick
  • q
  • qaz
  • qazxsw
  • qqq
  • qwerty
  • qwerty
  • ranger
  • secret
  • service
  • shadow
  • snoopy
  • summer
  • test
  • test
  • tiger
  • tigger
  • trustno1
  • xxx
  • zaq
  • zaqwsx
  • zzz

The following filename is used:

  • MarioForever.exe
  • %system%\­cls.exe

The file is then remotely executed.


The worm registers itself as a system service using the following name:

  • OKAMAI Service
Information stealing

Win32/Pinit.B is a worm that steals passwords and other sensitive information.


The worm can send the information to a remote machine. The HTTP protocol is used.

Other information

The worm alters the behavior of the following processes:

  • avgcc.exe
  • zlclient.exe
  • zlclient.exe
  • kavpf.exe
  • lspfix.exe
  • outpost.exe
  • avgcc.exe
  • mpfsrv.exe
  • kpf4ss.exe
  • mpfsrv.exe
  • kavpf.exe
  • kpf4ss.exe
  • avgcc.exe
  • outpost.exe
  • zlclient.exe

The worm launches the following processes:

  • cmd.exe
  • ftp.exe
  • net.exe

The following files are deleted:

  • %system%\­pla.ax
  • %system%\­paso.el
  • %system%\­ntpl.bin
  • %system%\­aston.mt

The worm can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.