WORM_FLYSTUD.BM

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\svchoct.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

• %User Temp%\E_N4\eAPI.fne
• %User Temp%\E_N4\eImgConverter.fne
• %User Temp%\E_N4\krnln.fnr
• %User Temp%\E_N4\PBShell.fne
• %User Temp%\E_N4\shell.fne

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Temp%\E_N4

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
KXOSUK = "%System%\svchoct.exe"

NOTES:
It searches for folders in all removable drives then drops copies of itself as {folder name}.exe