Win32/Seeav [Threat Name] go to Threat

Win32/Seeav.I [Threat Variant Name]

Category trojan,worm
Size 414208 B
Aliases TrojanDownloader:Win32/Picproot.A!dha (Microsoft)
  Trojan.DownLoader12.19458 (Dr.Web)
Short description

Win32/Seeav.I is a worm that can be spread via removable media. The worm collects various sensitive information.


When executed the worm copies itself in the following locations:

  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon3.exe
  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.exe

When executed, the worm creates the following files:

  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.dll
  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.dat
  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­desktop.ins
  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­desktop.bat
  • %appdata%\­Microsoft\­Windows\­Desktop.ini

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "UsbKey" = ""%commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.exe" Embedding"
    • "UsbKeydog" = ""%commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.dll" Embedding"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = "0"
    • "HideFileExt" = "1"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap]
    • "phVer" = "20150120"

The worm launches the following processes:

  • rundll32.exe "%commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.dll" StartWork
  • rundll32.exe "%commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.dll" Embedding
  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­rusbmon.exe Embedding
  • %system%\­regini.exe %appdata%\­Microsoft\­Windows\­Desktop.ini
  • %commondocuments%\­..\­Local Settings\­Microsoft\­UsbKey\­desktop.bat

After the installation is complete, the worm deletes the original executable file.

Spreading on removable media

The worm may be spread via removable media.

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.

Information stealing

The worm collects the following information:

  • Internet Explorer version
  • operating system version
  • installed antivirus software
  • Microsoft Word version
  • proxy server settings
  • computer name

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (3) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • steal sensitive information

The worm checks for Internet connectivity by trying to connect to the following addresses:


The worm opens UDP port 60250 .

The worm contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.