Win32/USBStealer [Threat Name] go to Threat

Win32/USBStealer.D [Threat Variant Name]

Category worm
Size 83968 B
Short description

Win32/USBStealer.D is a worm that spreads via removable media.


The worm does not create any copies of itself.

The worm registers itself as a system service using the following name:

  • USB Disk Security

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "USB Disk Security" = "%malwarefilepath%"

This causes the worm to be executed on every system start.

The worm creates the following file:

  • C:\­Documents and Settings\­Administrator\­Templates\­starttemplate
Spreading on removable media

The worm creates the following files:

  • %removabledrive%\­System Volume Information\­USBGuard.exe (Win32/USBStealer.A, 49664 B)

The following file is dropped:

  • %removabledrive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm creates the following files:

  • %removabledrive%\­System Volume Information\­

The worm creates copies of the following files (source, destination):

  • C:\­Documents and Settings\­Administrator\­Templates\­*.in, %removabledrive%\­System Volume Information\­*.ins

For further information follow the links below:

* Sednit Espionage Group Attacking Air-Gapped Networks

Please enable Javascript to ensure correct displaying of this content and refresh this page.