Name: Worm.Win32.DownLoader.ah
Warning level: Dangerous
Detection Date: Mar 24, 2008
Description Date: Mar 28, 2008
Behavior: Worm
Affected System: Windows XP/NT/Server 2003/2000
Spreading: Medium
Damage: Low
Effected RISING: 20.37.02
Technical Details:
The virus will be copied down to System32 by own, and named as thundet.exe and dllhos.exe, and then, add the following registry information to startup with system:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
"Thundet" = THUNDET.EXE
The virus will download and run 26 viruses from http://www.xxx.net/mm/. At the same time, the virus will infiltrate script files; add website address at the end of script files. So, when computer user visit a webpage, it will download virus at the same time.
This virus also can edit the following information in registry to achieve Image File Execution Options:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ debugger = 360tray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ debugger = KMDEVMONSRV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ debugger = VsTskMgr.exe
At the last, the virus will copy itself into each local disk, add autorun.inf to startup with a local disk opening operation.
Anti-virus experts suggest that computer users take the following measures to protect against this virus:
1. Install Rising Anti-virus, personal firewall, update in time, and at least 3 times per day for updating Rising.
2. Use Rising Vulnerability Check, patch your computer system in a timely manner as many viruses spread by taking advantage of the system exploits or vulnerabilities.
3. Do not browse suspicious websites, and suspicious inserter; turn off or delete unnecessary system services.
4. Do not receive the suspicious file from QQ, MSN, Email, etc.
5. Open auto-protect and auto-monitor function when accessing to the internet.
6. Put your account information of networks bank, networks game, QQ etc, into Rising Application Protection, Rising Application Protection can protect specified applications from attack by malicious programs. A user can apply rules to game software, instant messenger, etc. to customize protection.
