Arrival, Installation, and Autostart Technique
This worm may be downloaded from remote site(s) by other malware. It may be downloaded unknowingly by a user when visiting malicious Web site(s). It arrives via removable drives.
It drops the following copy(ies) of itself:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It sets the attributes of its dropped file(s) to the following:
It injects threads into the following normal process(es):
It creates the following registry entry(ies) to enable its automatic execution at every system startup:
54dfsger = "%System%\xvassdf.exe"
Propagation via Physical/Removable/Floppy Drives
This worm drops the following copy of itself in all physical and removable drives:
It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
The AUTORUN.INF file contains the following strings:
This worm drops the following component file(s):
As a result, routines of the dropped spyware are also exhibited on the affected system.
Analysis By: Karl Dominguez